Build Your Own: E-mail Usage Policy 1 © 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited. Case Document Build Your Own: E-mail Usage POlicy Why an E-mmail Usage Policy is important E-mail is undoubtedly one of the greatest communication tools we have today. Employees, vendors, cus- tomers, executives, and other corporate users have all benefited from the advancements made to e-mail over the years. However, e-mail has also created many problems for IT professionals with the spread of viruses, Spam, and worms. In addition, e-mail has spawned many lawsuits from users offended by the mail received in their corporate inbox. While the law on Internet e-mail is still vague, the courts are clear about one thing— employers that have an E-mail Usage Policy read and signed by employees can protect themselves from many claims. Typically, a company should develop an E-mail usage policy that is consistent with other communication media such as fax or letter mail. While e-mail requires less effort to distribute than these more formal means of communication, the company’s name still goes out on the header of the message. This company “sta- tionery” makes it the responsibility of the company to ensure the intended recipients of employee’s e-mail are not offended or damaged by the content. In addition, an effective E-mail Usage Policy can help you maintain the integrity of your system against viruses, and prevent lawsuits from violations of intellectual property, anti-spam laws, sexual harassment, wrongful termination, and more. A final area of concern is employee privacy. Many employees that have been dismissed for sending inappro- priate e-mails have brought litigation claims against former employers for invasion of their privacy. A clearly defined E-mail Usage Policy can mitigate the risk of liability. If employees have been properly trained on the e-mail system and have signed the usage policy, then it will be difficult for them to claim they were not aware of your capabilities for monitoring. Build Your Own: e-mail Usage Policy 2 © 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited. This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy. Please provide TechRepublic’s editors with feedback on what you found helpful in this document, as well as anything you may not have found beneficial. Be sure to also let our editors know if you feel a particularly important component or element has been omitted that should be included. Feedback may be sent directly to the team develop- ing this document at mailto:content1@cnet.com. This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy. As such, this specific IT policy addresses appropriate end user e-mail use. Please send your suggestions for other IT policies or template topics you would find helpful to TechRepublic editors directly at mailto:content1@cnet.com. Critical E-mmail Usage Policy elements Introduction An E-mail Usage Policy’s introduction should briefly explain the purpose for the policy as well as define a few of the elements the company considers to be “e-mail”. For instance, e-mail may be defined as mail sent from a MAPI client software package like Outlook, an instant messaging service, a peer-to-peer file exchange, or some combination thereof. A comparison to other forms of written communication and the company’s expectation of standards for e- mail should be presented. Most E-mail Usage Policy introductions reinforce the stricter guidelines that e-mail is a tool used only for business communications, but some leave open the possibility of personal use if the company’s culture desires it. The introduction should also clearly state that e-mail exchanged on its systems is considered the property of the company, which gives it the right to monitor accounts for policy compliance. Guidelines for authorized use Acceptable use of e-mail should be clearly defined. If your organization permits reasonable personal use, the policy should clearly state such use must not interfere with the performance of work responsibilities. The fol- lowing are other guidelines typically seen in e-mail usage policies in the authorized use section: z Subscribing to distribution lists and other forms of e-mail subscription services related to your job function is allowed. If the service does not pertain to your job function, seek manager approval before signing up. z Passwords are your best defense against unauthorized use of your e-mail account. Do not compromise your account by giving it to others or displaying it in public view. z The encryption of e-mail is not necessary for most situations, but all confidential messages should contain some form of encoding. If in doubt, contact your manager. z Users should take care in addressing messages so it reaches the appropriate recipient. Also, spelling and grammar should be checked by the e-mail client before sending the message. z Long term message retention is important only if it is relevant for business or legal purposes. If you desire to keep less important messages for longer than X days, please archive the e-mail to your allotted server storage space. The e-mail system is designed to delete messages older than X number of days. z Avoid sending company- or department-wide messages. E-mail “blasting” can cause a system to slow down and affect performance. If you have a company- or department-wide message to deliver, first send it to a user who has access to the “all company” e-mail grouping. z Large e-mail attachments can drastically slow system performance. Attachments that exceed X MB in size will be removed by the server and not sent. Prohibited use of e-mail An E-mail Usage Policy should clearly state what is not allowed on the system. While some items are obvi- ous, you should try to list as many offences as possible to make the policy more enforceable should the need arise. The following are just a sample of prohibited activities you should consider when creating your policy: z Creating or exchanging offensive or obscene messages of any kind, including pornographic material z Sending e-mail that promotes discrimination on the basis of race, gender, national origin, age, marital status, sexual orientation, religion, or disability z Sending e-mail that contains a threatening or violent message z Exchanging proprietary information, trade secrets, or other confidential information with anyone not affiliated with the company z Creating, forwarding, or exchanging spam, chain letters, solicitations, or advertising z Creating, storing, or exchanging e-mail that violates material protected under copyright laws Build Your Own: E-mail Usage Policy 3 © 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited. z Distributing corporate data to the organization’s customers or clients without proper authorization z Altering a message from other users without their permission z Opening e-mail without performing a virus scan. z Improperly using someone else’s e-mail account as your own without permission Factors affecting productivity It is imperative that users understand how sending e- mail to large distribution groups can overload a sys- tem. Many recipients do not need the e-mail and it can get in the way of other more important mes- sages. Attachments are another big concern for IT professionals, as the MB size continues to grow and user inboxes fill with unneeded files. One way to combat attachment broadcasting is to centralize stor- age with space on an Intranet Web site that users can provide links to in their e-mail messages. Following the guidelines set forth in the E-mail Usage Policy will help users understand the impor- tance of sending well defined e-mails. Perhaps nowhere is this clarification more apparent than the subject line. Message handling is vastly improved when subject lines are to the point and encompass the major thrust of the e-mail message. This will ensure the message is not discarded before being read and will be easier to sort. Security E-mail is the easiest method for hackers to distribute viruses, worms, and other forms of malicious soft- ware. Defending against these attacks is a major part of any IT professional’s job. Thus, the security sec- tion of the E-mail Usage Policy can go a long way to defining how restrictive an organization is with its e- mail service. The company may wish to limit e-mail accounts only to individuals whose job descriptions require a legitimate business use. Others may define a more liberal account structure, yet monitor usage and deal with problem accounts according to the E- mail Usage Policy. Privacy E-mail Usage Policies should ensure users maintain no expectation of privacy while using company- owned or company-leased equipment. Further, the policy should make it clear that information passing through or stored on company equipment can and will be monitored. Users should also know the organi- zation maintains the right to monitor and review e- mail communications sent or received by users as necessary and that such communications should not be considered private or secure. Violation penalties E-mail Usage Policies must clearly state the conse- quences of improper use, which typically range from loss of e-mail account privileges to termination. Policies should state how violations will be reviewed, such as on a case-by-case basis or on an every-case basis. Policies should also describe the events that will trigger when a violation occurs. For example, a policy’s Violations section might read as follows: Violations will be reviewed on a case-by-case basis. If it is determined that a user has violated one or more use regulations, that user will receive a repri- mand from his or her supervisor and his or her future use will be closely monitored. If a gross violation has occurred, management will take immediate action. Such action may result in losing e-mail account privi- leges, severe reprimand, or termination of employ- ment. Reporting When violations occur, appropriate IT department staff and the offender’s managing supervisor should be formally notified. Depending upon your organiza- tion, it may be appropriate to copy Human Resources personnel on all messaging related to the violation. And, if the organization monitors employee e-mail use, mail server log files should be saved as backup. IT staff should take care when reviewing monitored communications to ensure employees are aware e- mail use is being monitored. IT staff should monitor users’ e-mail use only insofar as is required to sup- port operational, maintenance, auditing, security, and investigative activities. Users should be told that IT staff may review individual employee’s communica- tions during the course of resolving a problem, but IT staff should be encouraged not to review specific employees’ e-mail habits out of personal curiosity or at the behest of individuals who have not received proper approval to monitor employee e-mail use. Build Your Own: e-mail Usage Policy 4 © 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited. Organizational readiness An E-mail Usage Policy will fail to curtail inappropriate e-mail use if the policy is not rolled out properly or enforced. Employees should be required to sign a personal copy of the E-mail Usage Policy and state that they have read and understood the policy. E-mail Usage Policies must be enforced to be effective. Violation reports must be followed up professionally, and offenders must be dealt with according to the policy’s direction. Length and language There is no requirement that an E-mail Usage Policy be lengthy, contain legal jargon, or use excessive word- ing. You are likely to be best served by clearly communicating which e-mail activities are acceptable, which are not, and what the penalties of noncompliance are succinctly and in language users understand. Lack of enforcement Users will catch on quickly when an E-mail Usage Policy is not enforced. Here IT staff members can lead by example by ensuring they refrain from using the organization’s systems to check e-mail in order to perform non-business related activities. When violations are discovered, the IT staff should work professionally with the offender, the offender’s supervising manager, and a Human Resources representative to ensure situations are resolved quickly. Important items When preparing an E-mail Usage Policy, your organization needs to make difficult decisions regarding which e-mail activities are acceptable and which are prohibited. Tough decisions must also be made when determin- ing the penalties for violations. Ensure your IT department and Human Resources staff agrees on the policy’s terms, especially for the fol- lowing items: z Specific examples of acceptable e-mail usage z Specific examples of unacceptable e-mail usage z Penalties for first-time offenders z Penalties for repeat offenders Build Your Own E-mmail Usage Policy To begin customizing the alpha version of TechRepublic’s Build Your Own E-mail Usage Policy, open the Excel spreadsheet included in the zip file with this case document. Build Your Own: E-mail Usage Policy 5 © 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited. . any form is prohibited. Case Document Build Your Own: E-mail Usage POlicy Why an E-mmail Usage Policy is important E-mail is undoubtedly one of the greatest. TechRepublic’s Build Your Own E-mail Usage Policy. As such, this specific IT policy addresses appropriate end user e-mail use. Please send your suggestions