Email is an essential component of business communication; however it presents a particular set of challenges due to its potential to introduce a security threat to the network. Email can also have an effect on the company's liability by providing a written record of communications, so having a well thought out policy is essential. This policy outlines expectations for appropriate, safe, and effective email use.
The purpose of this policy is to detail the company's usage guidelines for the email system. This policy will help the company reduce risk of an email-related security incident, foster good business communications both internal and external to the company, and provide for consistent and professional application of the company's email principles.
The scope of this policy includes the company's email system in its entirety, including desktop and/or web-based email applications, server-side applications, email relays, and associated hardware. It covers all electronic mail sent from the system, as well as any external email accounts accessed from the company network.
Proper Use of Company Email Systems
Users are asked to exercise common sense when sending or receiving email from company accounts. Additionally, the following applies to the proper use of the company email system.
1. Sending Email
When using a company email account, email must be addressed and sent carefully. Users should keep in mind that the company loses any control of email once it is sent external to the company network. Users must take extreme care when typing in addresses, particularly when email address auto-complete features are enabled; using the "reply all" function; or using distribution lists in order to avoid inadvertent information disclosure to an unintended recipient. Careful use of email will help the company avoid the unintentional disclosure of sensitive or non-public information.
2. Personal Use and General Guidelines
Personal usage of company email systems is permitted as long as A) such usage does not negatively impact the corporate computer network, and B) such usage does not negatively impact the user's job performance.
The following is never permitted: spamming, harassment, communicating threats, solicitations, chain letters, or pyramid schemes. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are prohibited.
The user is prohibited from forging email header information or attempting to impersonate another person.
Email is an insecure method of communication, and thus information that is considered confidential or proprietary to the company may not be sent via email, regardless of the recipient, without proper encryption.
It is company policy not to open email attachments from unknown senders, or when such attachments are unexpected.
Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size.
Please note that the topics above may be covered in more detail in other sections of this policy.
3. Business Communications and Email
The company uses email as an important communication medium for business operations. Users of the corporate email system are expected to check and respond to email in a consistent and timely manner during business hours.
Additionally, users are asked to recognize that email sent from a company account reflects on the company, and, as such, email must be used with professionalism and courtesy.
4. Email Signature
An email signature (contact information appended to the bottom of each outgoing email) is required for all emails sent from the company email system. At a minimum the signature should include the user's:
Fax number if applicable
URL for corporate website
Email signatures may not include personal messages (political, humorous, etc.). The company’s IT resources may assist in email signature setup if necessary.
The company recommends the use of an auto-responder (if the email system is equipped with such a feature) if the user will be out of the office for an entire business day or more. The auto-response should notify the sender that the user is out of the office, the date of the user's return, and who the sender should contact if immediate assistance is required.
6. Mass Emailing
The company makes the distinction between the sending of mass emails and the sending of unsolicited email (spam). Mass emails may be useful for both sales and non-sales purposes (such as when communicating with the company's employees or customer base), and is allowed as the situation dictates. The sending of spam, on the other hand, is strictly prohibited.
It is the company's intention to comply with applicable laws governing the sending of mass emails. For this reason, as well as in order to be consistent with good business practices, the company requires that email sent to more than twenty (20) recipients external to the company have the following characteristics:
The email must contain instructions on how to unsubscribe from receiving future emails (a simple "reply to this message with UNSUBSCRIBE in the subject line" will do). Unsubscribe requests must be honored immediately.
The email must contain a subject line relevant to the content.
The email must contain contact information, including the full physical address, of the sender.
The email must contain no intentionally misleading information (including the email header), blind redirects, or deceptive links.
Note that emails sent to company employees, existing customers, or persons who have already inquired about the company's services are exempt from the above requirements.
7. Opening Attachments
Users must use care when opening email attachments. Viruses, Trojans, and other malware can be easily delivered as an email attachment. Users should:
Never open unexpected email attachments.
Never open email attachments from unknown sources.
Never click links within email messages unless he or she is certain of the link's safety. It is often best to copy and paste the link into your web browser, or retype the URL, as specially-formatted emails can hide a malicious URL.
Always be cognizant of external emails asking for personal, confidential or financial information, especially requests involving monetary resources of any kind (payroll changes, gift cards etc.)
The company may use methods to block what it considers to be dangerous or emails or strip potentially harmful email attachments as it deems necessary.
8. Monitoring and Privacy
Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to transmission and storage of files, data, and messages. The company reserves the right to monitor any and all use of the computer network. To ensure compliance with company policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media.
9. Company Ownership of Email
Users should be advised that the company owns and maintains all legal rights to its email systems and network, and thus any email passing through these systems is owned by the company and it may be subject to use for purposes not anticipated by the user. Keep in mind that email may be backed up, otherwise copied, retained, or used for legal, disciplinary, or other reasons. Additionally, the user should be advised that email sent to or from certain public or governmental entities may be considered public record.
10. Contents of Received Emails
Users must understand that the company has little control over the contents of inbound email, and that this email may contain material that the user finds offensive. If unsolicited email becomes a problem, the company may engage methods to reduce the amount of this email that users receive. The best course of action is to not open emails that, in the user's opinion, seem suspicious. If the user is particularly concerned about an email, or believes that it contains illegal or malicious content, the user should notify his or her supervisor.
11. Access to Email from Mobile Phones
Many mobile phones or other devices, often called smartphones, provide the capability to send and receive email. This can present a number of security issues, particularly relating to the storage of email, which may contain sensitive data, on the phone. Users are not to access, or attempt to access, the company's email system from a mobile phone without the permission of his or her supervisor.
Note that this section does not apply if the company provides the phone and mobile email access as part of its remote access plan. In this case, permission is implied. Refer to the Mobile Device Policy for more information.
12. Email Regulations
Any specific regulations (industry, governmental, legal, etc.) relating to the company's use or retention of email communications must be listed here or appended to this policy.
External and/or Personal Email Accounts
The company recognizes that users may have personal email accounts in addition to their company-provided account. The following sections apply to non-company provided email accounts:
1. Use for Company Business
Personal email accounts should not be used to conduct company-related business, unless expressly permitted by the user’s supervisor.
2. Access from the Company Network
Users are prohibited from accessing external or personal email accounts from the corporate network. Due to the prevalence of email-borne security threats, these accounts cannot be supervised or monitored by the company and thus pose a risk to the company that cannot be mitigated.
3. Use for Personal Reasons
Users are required to use a non-company-provided (personal) email account for all non-business communications. The corporate email system is for corporate communications only. Users must follow applicable policies regarding the access of non-company-provided accounts from the company network.
Confidential Data and Email
The following sections relate to confidential data and email:
As with any company passwords, passwords used to access email accounts must be kept confidential and used in adherence with the Password Policy. At the discretion of the IT Manager, the company may further secure email with certificates, two factor authentication, or another security mechanism.
2. Emailing Confidential Data
Email is an insecure means of communication. Users should consider email as they would a postcard, which, like email, can be intercepted and read on the way to its intended recipient.
The company requires that any email containing confidential information, regardless of whether the recipient is internal or external to the company network, be encrypted using commercial-grade, strong encryption.
Further guidance on the treatment of confidential information exists in the company's Confidential Data Policy. If information contained in the Confidential Data Policy conflicts with this policy, the Confidential Data Policy will apply.
Company Administration of Email
The company will use its best effort to administer the company's email system in a manner that allows the user to both be productive while working as well as reduce the risk of an email-related security incident.
1. Filtering of Email
A good way to mitigate risk from email is to filter it before it reaches the user so that the user receives only safe, business-related messages. For this reason, the company will filter email at the Internet gateway and/or the mail server, in an attempt to filter out spam, viruses, or other messages that may be deemed A) contrary to this policy, or B) a potential risk to the company's IT security. No method of email filtering is completely effective, so the user is asked additionally to be cognizant of this policy and use common sense when opening emails.
Additionally, many email and/or anti-malware programs will identify and quarantine emails that it deems suspicious. This functionality may or may not be used at the discretion of the company.
2. Email Disclaimers
The use of an email disclaimer appended to outgoing email messages is an important component in the company's risk reduction efforts. The company requires the use of email disclaimers on every outgoing email, which must contain the following notices:
The email is for the intended recipient only
The email may contain private information
If the email is received in error, the sender should be notified and any copies of the email destroyed
Any unauthorized review, use, or disclosure of the contents is prohibited
An example of such a disclaimer is:
NOTE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by replying to this email, and destroy all copies of the original message.
The company should review any applicable regulations relating to its electronic communication to ensure that its email disclaimer includes all required information.
3. Email Deletion
Users are encouraged to delete email periodically when the email is no longer needed for business purposes. The goal of this policy is to keep the size of the user's email account manageable, and reduce the burden on the company to store and backup unnecessary email messages.
However, users are strictly forbidden from deleting email in an attempt to hide a violation of any company policy. Further, email must not be deleted when there is an active investigation or litigation where that email may be relevant.
The company may archive or place a hold on email accounts and messages to ensure regulatory compliance, satisfy legal requirements or preserve company information.
4. Retention and Backup
Email should be retained and backed up in accordance with the applicable policies, which may include but are not limited to the: Data Classification Policy, Confidential Data Policy, Backup Policy, and Retention Policy.
Unless otherwise indicated, for the purposes of backup and retention, email should be considered operational data.
5. Address Format
Email addresses must be constructed in a standard format in order to maintain consistency across the company. The company shall choose a format that suits its needs and can be applied consistently throughout the organization. The intent of this policy is to simplify email communication as well as provide a professional appearance.
6. Email Aliases
Often the use of an email alias, which is a generic address that forwards email to a user account, is a good idea when the email address needs to be in the public domain, such as on the Internet. Aliases reduce the exposure of unnecessary information, such as the address format for company email, as well as (often) the names of company employees who handle certain functions. Keeping this information private can decrease risk by reducing the chances of a social engineering attack.
A few examples of commonly used email aliases are:
The company requires the use of email aliases in all situations where an email address will be explicitly exposed to the general public, such as for publication on a website.
7. Account Activation
Email accounts will be set up for each user determined to have a business need to send and receive company email. Accounts will be set up at the time a new hire starts with the company, or when a promotion or change in work responsibilities for an existing employee creates the need to send and receive email.
Accounts on the company email system will never be provided to non-employees of the company.
8. Account Termination
When a user leaves the company, or his or her email access is officially terminated for another reason, the company will disable the user's access to the account by changing the password and preventing logins to the account. The company is under no obligation to block the account from receiving email, and may continue to forward inbound email sent to that account to another user, or set up an auto-response to notify the sender that the user is no longer employed by the company.
9. Storage Limits
As part of the email service, email storage may be provided on company servers or other devices. The email account storage size must be limited to what is reasonable for each employee, at the determination of the company. Storage limits may vary by employee or position within the company.
The following actions shall constitute unacceptable use of the corporate email system. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the corporate email system to:
Send any information that is illegal under applicable laws.
Access another user's email account without A) the knowledge or permission of that user - which should only occur in extreme circumstances; B) the approval of company executives in the case of an investigation; or C) when such access constitutes a function of the employee's normal job responsibilities.
Send any emails that may cause embarrassment, damage to reputation, or other harm to the company.
Delete or modify emails in order to mask actions taken by a user that may be detrimental to the company’s operations or interests.
Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, harassing, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
Send emails that cause disruption to the workplace environment or create a hostile workplace. This includes sending emails that are intentionally inflammatory, or that include information not conducive to a professional working atmosphere.
Make fraudulent offers for products or services.
Attempt to impersonate another person or forge an email header.
Send spam, solicitations, chain letters, or pyramid schemes.
Knowingly misrepresent the company's capabilities, business practices, warranties, pricing, or policies.
Conduct non-company-related business.
The company may take steps to report and prosecute violations of this policy, in accordance with company standards and applicable laws.
1. Data Leakage
Data can leave the network in a number of ways. Often this occurs unintentionally by a user with good intentions. For this reason, email poses a particular challenge to the company's control of its data.
Unauthorized emailing of company data, confidential or otherwise, to external email accounts for the purpose of saving this data external to company systems is prohibited. If a user needs access to information from external systems (such as from home or while traveling), that user should notify his or her supervisor rather than emailing the data to a personal account or otherwise removing it from company systems.
The company may employ data loss prevention techniques to protect against leakage of confidential data at the discretion of the company.
Email systems were not designed to transfer large files and as such emails should not contain attachments of excessive file size. The company asks that the user limit email attachments to 10Mb or less. The user is further asked to recognize the additive effect of large email attachments when sent to multiple recipients, and use restraint when sending large files to more than one person.
Users should be aware that certain types of attachments such as executable programs, scripts, and file types that can run computer code are almost always quarantined by recipient email systems. Additionally, the company’s reputation can be negatively affected if these types of attachments are sent, since they constitute a well-known threat to recipients’ IT security. Attachments that can run programs or code therefore should never be sent via email under any circumstances.
Certain other types of attachments such as ZIP files have a reputation in IT security for presenting risks to computers and networks. Users are advised to use discretion when sending these types of attachments and should be aware that delivery may be delayed to their recipients due to email filtering mechanisms.
Applicability of Other Policies
This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Executive Team and IT personnel/partners. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities are suspected, the company may report such activities to the applicable authorities. If any provision of this policy is found to be unenforceable or voided for any reason, such invalidation will not affect any remaining provisions, which will remain in force.
Auto Responder An email function that sends a predetermined response to anyone who sends an email to a certain address. Often used by employees who will not have access to email for an extended period of time, to notify senders of their absence.
Certificate Also called a "Digital Certificate." A file that confirms the identity of an entity, such as a company or person. Often used in VPN and encryption management to establish trust of the remote entity.
Data Leakage Also called Data Loss, data leakage refers to data or intellectual property that is pilfered in small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious and sometimes inadvertent by users with good intentions.
Email Short for electronic mail, email refers to electronic letters and other communication sent between networked computer users, either within a company or between companies.
Encryption The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored.
Mobile Device A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.
Password A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode.
Spam Unsolicited bulk email. Spam often includes advertisements, but can include malware, links to infected websites, or other malicious or objectionable content.
Smartphone A mobile telephone that offers additional applications, such as PDA functions and email.
Two Factor Authentication A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.