A security policy should be neatly formatted into different sections that facilitate:
- Ease of use and readability
- Ongoing updates
- Flexibility when organizational needs change
Introduction: A brief overview of the topic, in this case, e-mail.Click here for a quick e-mail security policy checklist you can run through to help make sure you're on the right track.
Purpose: Briefly outline the high-level goal(s) and strategy of the policy.
Scope: State which employees, departments and e-mail systems are covered.
Roles and responsibilities: Outline who's involved and what they must do to support the policy.
Policy statement: State your actual e-mail policy or policies. This will likely consist of several sentences covering varying topics such as attachments, encryption, spam, confidential information and more. You can also create a separate document for each of these policy statements if they turn out to be too long or vary too much across departments.
Exceptions: Highlight people, departments and e-mail systems that are not covered by the e-mail policy.
Procedures: Detail steps on how the policy is being implemented and enforced. It may make the most sense to reference this information and place it in a separate document.
Compliance: Outline procedures for measuring compliance with this policy.
Sanctions: Outline consequences for policy violations. For example, x happens on the first offense, y happens on the second offense and z happens on the third offense.
Review and evaluation: State when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. SOX, HIPAA, GLBA, etc.).
References: Point to regulatory code sections and information security standards (ISO/IEC 17799, CoBIT, etc.).
Related documents: Point to other policies, guidelines, standards and related documents.
Revisions: Document ongoing changes.
Notes: Highlight notes, tips, etc., that can help with future policy administration.
About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the The Definitive Guide to E-mail Management and Security (Realtimepublishers.com), Hacking For Dummies (Wiley) and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at firstname.lastname@example.org.
This was first published in March 2005