Email Security Policy
Your Company Needs an Email Security Policy
Whether you are a large or small company and no matter your industry you should have a well planned and updated email security policy. The policy takes the form of an official document which lays out the rules of how your corporate email system should be used by staff.
Security policies are vital for the effective management of your corporate email system, they should also be designed to protect the company from legal liability, data loss or theft, downtime and brand or reputation damage.
What Should You Include in Your Email Security Policy?
How you construct your policy will be highly dependent on numerous factors. These will include your local laws, the industry you operate in and the type of data that you store (local laws differ greatly on such elements as personally identifiable information and financial information). There are some common guiding principals for what should typically be included in corporate email policies.
An important aspect for any policy should be a clear and concise statement that the company owns any communications within the email system. You should also accurately detail what employees are responsible for, including when they can be held accountable for irresponsible, damaging or even criminal use.
To be Included
- How and when to report suspicious, offensive or unauthorised email communications
- Details on what employees can and cannot use company email for — for example, this will commonly include forbidding employees from using the company email accounts for personal reasons.
- Clear guidelines on content that will never be tolerated in company emails, this may include offensive language, racist language or terms, threats, confidential information including passwords and other credentials
- Email retention policies inform the users how and how long emails will be stored
- Consequences to the employee if they are found to have not followed the guidelines provided in the email policy
Policy Content Structure and Examples
- Sending emails
- Addressed correctly
- Professional use of language
- Email Signatures and Auto Responders
- Signatures must be in an approved format
- Auto responders must conform to policy guide
- Mass emailing
- If and when this is allowed
- Large emails
- Attachment size limits
- Allowed file types
- Opening attachments
- Known and unknown senders
- Risks of opening attachments
- Responsibility of the employee
- Company ownership and business communications
- Company owns and maintains all legal rights to email of all staff
- Personal use
- Company email should only be used for business reasons
- Monitoring and privacy
- Expectation of no privacy in line with local laws
- Company email is the property of the company
- Sensitive data
- Use of approved encryption method
- Approval from Management
- Data leakage
- Unauthorised data sent is prohibited
- Clear guide on what constitutes authorised and unauthorised data
- Storage limits & email retention
- Retention policy set at company discretion
- Storage limits per user and how they are managed
- Aliases
- Sending authorisation on behalf fo another user
- Prohibited actions
- Using someone else’s email except as an authorised alias
- Defamatory language
- Reputation damage
- Illegal content
- Threats
- Fraud
If you need help or advice related to this topic please get in touch with us here