Over the next few months, I'll be digging a bit deeper into what goes into formulating and publishing the various items that should appear in any organization's collection of security policy documents. Today's topic is e-mail policy, which needs to address the following topics:
- Privacy and confidentiality
- Acceptable use criteria
- Employee/employer rights to access e-mail content
- Legal liability and e-mail retrieval on court order
Legal precedent is pretty clear that employers not only own, but are legally responsible for, the content and intent of e-mail transmitted on or from their systems. This means employees need to be informed that they can't expect e-mail to be ignored or that it is safe from monitoring. Employees also need to understand that e-mail can be used to pursue legal remedies for all kinds of reasons (recent court cases have featured sexual harassment chargers substantiated by inappropriate e-mails, and Microsoft internal e-mails played a big role in the US government's recent anti-trust case against that company). This means huge volumes of data may be required for access to attorneys and court officials by court order, or even that entire systems may be seized and confiscated for use as evidence. Clearly, this is an eventuality that e-mail policy should seek to prevent as much as possible.
It's particularly important that employees understand that e-mail is an inherently insecure communications tool, and that confidentiality breaches are possible (if not likely) unless special steps are taken to protect proprietary information, trade secrets and other sensitive information. Thus, e-mail policy needs to state if (and how, where applicable) e-mail may be used to transmit such information (usually only if strong encryption technologies are available and used). Often, e-mail policy prohibits unauthorized use of e-mail to transmit sensitive data of any kind, and organizational e-mail footers regularly include confidentiality protection language (a legal disclaimer) to assert ownership and control over any information that does manage to slip past automatic or mechanical e-mail policy controls.
Acceptable use criteria are important to protect employers from potential legal liability for inappropriate communications, be their recipients internal or external. Issues like sexual harassment, creating a hostile working environment, inappropriate content or language and so forth must be addressed, as well as rules and regulations that spell out what constitutes acceptable use of e-mail. Where unacceptable use occurs, it's also often the case that employers spell out potential consequences that range from reprimands to loss of employment, and even to civil or criminal charges in especially flagrant or egregious cases. Because chain letters, jokes, stories, "funny photos" and so forth can cause network congestion and lead to lost time and productivity, it's also increasingly true that e-mail policies enjoin employees from reading or sending such types of e-mail. The same rules also apply to spam.
For some great discussions and examples of e-mail policy documents, visit:
- www.email-policy.com: An industry trade group site, it offers a great overview, samples, software, pointers and more.
- www.cli.org/emailpolicy/top.html: The Cyberspace Law Institute offers a good set of resources to aid in e-mail policy formulation, including background and overview, sample language and pointers galore.
- Search on "e-mail policy" or "email policy" to find thousands of sample policy documents online, and to locate other topical tools and resources. Armed with this information, you should be able to review or create your organization's e-mail policy, and make sure it dovetails with overall security policy.
Please feel free to e-mail me with feedback, comments or questions at firstname.lastname@example.org.
About the author
Ed Tittel is VP of Content Services at iLearning, a CapStar company based in Austin, Texas. As creator and series editor for Exam Cram 2, Ed's worked on numerous titles on Microsoft, Novell, CompTIA and security certifications, including Security+, CISSP and TICSA.
For more information, visit these resources:
- Executive Security Briefing: Where do you draw the line on employee monitoring?
- On-demand webcast: Exploring the pros and cons of employee monitoring
- Security Policies Tip: E-mail monitoring as a security policy issue