Writing Information Security Policies
Appendix C: SAMPLE EMAIL POLICY

Explanation from Appendix C

This section sets forth the Company’s policy on the use of electronic mail (email) for electronic communications.

Administering Email
The Company is responsible for creating and managing an infrastructure that can support the safe and successful delivery of email within the Company and to customers, partners, and others via the Internet.

As part of this architecture, the Company will create means by which it can scan the content of messages to prevent the spread of viruses, worms, Trojan Horses, or other executable items that could pose a threat to the security of the systems and network.

Email Virus Protection
Email that has been found to be infected with a virus, worm, Trojan Horse, or contains another executable item could pose a threat to security will not be delivered to the user. Infected email should be removed from the delivery system and analyzed by network and security administrators. Network and security administrators are responsible for creating and maintaining the procedures for handling infected email messages that are consistent with these policies.

Archiving Email
All email is retained and archived. The archive will reside on a server controlled managed by network and security administrators with access limited to security management, human resource management, and the Company’s executive management. This archive may be reviewed at any time so ensure that users are complying with all Company policies. Executive and security management will create a plan for doing this review and outline appropriate remedies for violators.

The email archive will remain online for six months before moved to an off-line storage medium. The off-line storage will be maintained for two years or longer, if required by contract or court order. After two years, the off-line medium will be erased or destroyed in a manner commensurate with its technology.

User Responsibilities
Email is the electronic equivalent of a post card. Anyone can read its contents along the deliver path. Sensitive, confidential, or proprietary information may be sent to users who have access to the local area network. Appropriate information may be sent to customers and partners with connections to the local area network. No sensitive, confidential, or proprietary information may be sent to anyone via the Internet.

All users of the Company’s email service will follow and respect the Ten Commandments of Email:

  1. Thou shalt demonstrate the same respect thy gives to verbal communications.
  2. Thou shalt check thy spelling, thy grammar, and read thine own message thrice before thou send it.
  3. Thou shalt not forward any chain letter.
  4. Thou shalt not transmit unsolicited mass email (spam) unto anyone.
  5. Thou shalt not send messages that are hateful, harassing, or threatening unto fellow users.
  6. Thou shalt not send any message that supports illegal or unethical activities.
  7. Thou shalt remember thine email is the electronic equivalent of a post card and shalt not be used to transmit sensitive information.
  8. Thou shalt not use thine email broadcasting facilities except for making appropriate announcements.
  9. Thou shalt keep thy personal email use to a minimum.
  10. Thou shalt keep thy policies and procedures sacred and help administrators protect them from abusers.

Writing Information Security Policy’s Home Page...
Scott’s Home Page...

All questions, comments, and corrections may be e-mailed to the author Last update: October 09, 2011