Sample e-mail policy template and checklist of concerns

A security policy should be neatly formatted into different sections that facilitate:

• Ease of use and readability
• Ongoing updates
• Flexibility when organizational needs change

Introduction: A brief overview of the topic, in this case, e-mail.

Purpose: Briefly outline the high-level goal(s) and strategy of the policy.

Scope: State which employees, departments and e-mail systems are covered.

Roles and responsibilities: Outline who's involved and what they must do to support the policy.

Policy statement: State your actual e-mail policy or policies. This will likely consist of several sentences covering varying topics such as attachments, encryption, spam, confidential information and more. You can also create a separate document for each of these policy statements if they turn out to be too long or vary too much across departments.

Exceptions: Highlight people, departments and e-mail systems that are not covered by the e-mail policy.

Procedures: Detail steps on how the policy is being implemented and enforced. It may make the most sense to reference this information and place it in a separate document.

Compliance: Outline procedures for measuring compliance with this policy.

Sanctions: Outline consequences for policy violations. For example, x happens on the first offense, y happens on the second offense and z happens on the third offense.

Review and evaluation: State when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. SOX, HIPAA, GLBA, etc.).

References: Point to regulatory code sections and information security standards (ISO/IEC 17799, CoBIT, etc.).

Related documents: Point to other policies, guidelines, standards and related documents.

Revisions: Document ongoing changes.

Notes: Highlight notes, tips, etc., that can help with future policy administration.

About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Definitive Guide to E-mail Management and Security (Realtimepublishers.com), Hacking For Dummies (Wiley) and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps The forensics mindset: Making life easier for investigators How to apply ISO 27002 to PCI DSS compliance A new twist on PCI DSS: Visa's Payment Application Best Practices Security management in 2008: What's in store Compliance year in review: PCI DSS progress, yet confusion abounds Creating and Managing Information Security Policies How to lock down instant messaging in the enterprise Worst practices: Security incidents to avoid Thompson calls for marriage of data and security management Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Should keystroke loggers be used in enterprise investigations? Exploring enterprise policy management options With data breach costs soaring, companies should review data sharing policies Creating and Managing Information Security Policies Research Email Security Basics Are Internet cafe users' email credentials at risk? Enigmail: Wrapping email in a digital security blanket Email authentication showdown: IP-based vs. signature-based Are challenge-response technologies the best way to stop spam? Researchers flag Symantec Mail Security flaws Serious Google Gmail flaw exposes sensitive user data Will only allowing whitelist email messages stop image spam? How is internal mail channeled through an enterprise firewall? Most antispam technologies get failing grade Is the Storm worm virus still a serious threat? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.