Email is a fast, easy and readily accessible means of business communication.  It has changed the way we communicate.  These are the obvious rewards – but they are also the basis of every risk.  Whenever email content is ill-advised, inappropriate, or even gets into the wrong hands, negative consequences can follow, including legal liability, regulatory penalties, confidentiality breaches, damage to corporate reputation, public embarrassment, internal conflicts, and all the related losses in productivity and performance that these circumstances can cause.  Further, data loss and damage to technology assets can be realized through the transmission of malicious code, spam and computer viruses.

Perform the “What-if” Analysis: What are the risks to my organization of email abuse and/or misuse, and what are the likely consequences if these risks are not properly addressed? The next step is to weigh the costs and complications of all mitigating actions, and to then strike an appropriate balance between risk and probability.

To eliminate email usage is impractical and even unthinkable – so the goal has to be to minimize the risks through the best means possible – and that is through the use of physical security precautions and practical, relevant and enforceable email policy.  To realize all of the intended goals and objectives, related policies (which will integrate closely with data security and internet usage policies) must encompass four (4) key governance needs:

1. Email Usage:  To determine the circumstances under which email can and will be used within a given organization, whether there will be any limits and/or restrictions on the types of information that can be transmitted via email, as well as any limits and/or restrictions on the use of business email systems for personal communications.
2. Email Oversight:  To establish that emails are official company records and to determine the manner in which email usage will be monitored and controlled, including the “ownership” of email content transmitted on business email systems.
3. Email Etiquette:  To establish formatting, content and usage guidelines designed to minimize the risk that email content will be deemed unprofessional, offensive, inappropriate or subject to ridicule and criticism.
4. Email Management:  To establish and implement appropriate technical controls to limit the risks of inbound email spam, virus and malicious code, and to establish automated procedures for email backup, storage and retention.

As a whole, usage, oversight, etiquette and management parameters must be combined to formulate “policy” that is aligned with business and technical needs, realistic considering actual communication needs, and enforceable considering corporate culture and related technical abilities.

Key Questions for Policy Scope and Content

To ensure that all usage, oversight, etiquette and management needs can be met, adopted email policies must be designed according to anticipated email usage, corporate culture, characteristics, business requirements, legal requirements, technical requirements and internal capabilities for enforcement.  The list below provides a head start for policy planning, listing the key questions to be considered and addressed as part of the policy development process:

• Policy Purpose
  • What are the specific goals of this email policy?
  • Why has the policy been created (considering the background events leading to policy development)?
  • What will the policy accomplish considering email usage, access, etiquette and management goals and objectives?
• Policy Basis
  • What is the underlying authority and/or organizational basis for this email policy (considering internal guidelines and/or external regulatory requirements)?
  • Do you have sufficient executive support to sufficiently enforce compliance with all of the policy provisions?
• Policy Scope
  • What are the organizational targets of the policy considering company-wide applicability, division specific application, departmental application or location specific application?
• Policy Stakeholders
  • Who are the policy stakeholders considering both individuals and groups who have a vested interest in the policy and ability to influence the outcome?
  • What are the specific roles and responsibilities required to implement, administer and enforce all policy terms, including all stated compliance obligations?
• Email Management
  • What are the means and methods to be utilized to manage and secure all email systems considering access,  standards for email addresses, restrictions on attachment size, remote access, spam and junk mail limitations and related management controls?
• Compliance and Enforcement Guidelines
  • What are established guidelines for email policy compliance?
  • Will there be any exceptions and/or waivers with regard to policy compliance?  If so, what are the terms under which exceptions and/or waivers will be granted?
  • How will compliance be enforced and what are the consequences for a failure to comply?
  • How will employees be provided with training relating to email policy compliance?
  • What types of auditing procedures will be used to monitor and promote email policy compliance?