Problem solve Get help with specific problems with your technologies, process and projects.

Sample e-mail policy template and checklist of concerns

Kevin Beaver provides a simple template approach for writing e-mail security policies and a checklist of concerns.

A well-written e-mail policy goes beyond proper grammar and spelling. It is clear, concise, easily understood and...

formatted to support long-term administration. There is a simple template approach you can take when writing e-mail policies to ensure that they meet each of these requirements.

A security policy should be neatly formatted into different sections that facilitate:

  • Ease of use and readability
  • Ongoing updates
  • Flexibility when organizational needs change

This sounds somewhat detailed and complex, but it's actually really simple. The following format is all it takes to support these elements regardless of the size of your organization:

Introduction: A brief overview of the topic, in this case, e-mail.

Purpose: Briefly outline the high-level goal(s) and strategy of the policy.

Scope: State which employees, departments and e-mail systems are covered.

Roles and responsibilities: Outline who's involved and what they must do to support the policy.

Policy statement: State your actual e-mail policy or policies. This will likely consist of several sentences covering varying topics such as attachments, encryption, spam, confidential information and more. You can also create a separate document for each of these policy statements if they turn out to be too long or vary too much across departments.

Exceptions: Highlight people, departments and e-mail systems that are not covered by the e-mail policy.

Procedures: Detail steps on how the policy is being implemented and enforced. It may make the most sense to reference this information and place it in a separate document.

Compliance: Outline procedures for measuring compliance with this policy.

Sanctions: Outline consequences for policy violations. For example, x happens on the first offense, y happens on the second offense and z happens on the third offense.

Review and evaluation: State when the policy must be reviewed for accuracy, applicability and compliance purposes (i.e. SOX, HIPAA, GLBA, etc.).

References: Point to regulatory code sections and information security standards (ISO/IEC 17799, CoBIT, etc.).

Related documents: Point to other policies, guidelines, standards and related documents.

Revisions: Document ongoing changes.

Notes: Highlight notes, tips, etc., that can help with future policy administration.

Click here for a quick e-mail security policy checklist you can run through to help make sure you're on the right track.

About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic, LLC where he specializes in information security assessments for those who take security seriously and incident response for those who don't. He is author and co-author of several information security books including the
The Definitive Guide to E-mail Management and Security(, Hacking For Dummies (Wiley) and the upcoming Hacking Wireless Networks For Dummies. Kevin can be reached at [email protected]

This was last published in March 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats