Email policy (ISO27001security)
Policy summary
This policy defines and distinguished acceptable/appropriate from unacceptable/inappropriate use of electronic mail (email).
Applicability
This is a standard corporate policy that applies throughout the organization as part of the corporate governance framework. It applies to all users of the corporate email systems.
Policy Detail
Background
Email is perhaps the most important means of communication throughout the business world. Messages can be transferred quickly and conveniently across our internal network and globally via the public Internet. However, there are risks associated with conducting business via email. Email is not inherently secure, particularly outside our own internal network. Messages can be intercepted, stored, read, modified and forwarded to anyone, and sometimes go missing. Casual comments may be misinterpreted and lead to contractual or other legal issues.
Policy axioms (guiding principles)
A. Email users are responsible for avoiding practices that could compromise information security.
B. Corporate email services are provided to serve operational and administrative purposes in connection with the business. All emails processed by the corporate IT systems and networks are considered to be the organization’s property.
Detailed policy requirements
1. Do not use email:
- To send confidential/sensitive information, particularly over the Internet, unless it is first encrypted by an encryption system approved by Information Security;
- To create, send, forward or store emails with messages or attachments that might be illegal or considered offensive by an ordinary member of the public i.e. sexually explicit, racist, defamatory, abusive, obscene, derogatory, discriminatory, threatening, harassing or otherwise offensive;
- To commit the organization to a third party for example through purchase or sales contracts, job offers or price quotations, unless your are explicitly authorized by management to do so (principally staff within Procurement and HR). Do not interfere with or remove the standard corporate email disclaimer automatically appended to outbound emails;
- For private or charity work unconnected with the organization’s legitimate business;
- In ways that could be interpreted as representing or being official public statements on behalf of the organization, unless you are a spokesperson explicitly authorized by management to make such statements;
- To send a message from anyone else’s account or in their name (including the use of false «From:» addresses). If authorized by the manager, a secretary may send email on the manager’s behalf but should sign the email in their own name per pro («for and on behalf of») the manager;
- To send any disruptive, offensive, unethical, illegal or otherwise inappropriate matter, including offensive comments about race, gender, colour, disability, age, sexual orientation, pornography, terrorism, religious beliefs and practice, political beliefs or national origin, hyperlinks or other references to indecent or patently offensive websites and similar materials, jokes, chain letters, virus warnings and hoaxes, charity requests, viruses or other malicious software;
- For any other illegal, unethical or unauthorized purpose.
2. Apply your professional discretion when using email, for example abiding by the generally accepted rules of email etiquette (see the Email security guidelines for more). Review emails carefully before sending, especially formal communications with external parties.
3. Do not unnecessarily disclose potentially sensitive information in «out of office» messages.
4. Emails on the corporate IT systems are automatically scanned for malicious software, spam and unencrypted proprietary or personal information. Unfortunately, the scanning process is not 100% effective (e.g. compressed and encrypted attachments may not be fully scanned), therefore undesirable/unsavory emails are sometimes delivered to users. Delete such emails or report them as security incidents to IT Help/Service Desk in the normal way.
5. Except when specifically authorized by management or where necessary for IT system administration purposes, employees must not intercept, divert, modify, delete, save or disclose emails.
6. Limited personal use of the corporate email systems is permitted at the discretion of local management provided always that it is incidental and occasional, and does not interfere with business. You should have no expectations of privacy: all emails traversing the corporate systems and networks are subject to automated scanning and may be quarantined and/or reviewed by authorized employees.
7. Do not use Gmail, Hotmail, Yahoo or similar external/third-party email services (commonly known as «webmail») for business purposes. Do not forward or auto-forward corporate email to external/third party email systems.1).
8. Be reasonable about the number and size of emails you send and save. Periodically clear out your mailbox, deleting old emails that are no longer required and filing messages that need to be kept under appropriate email folders. Send important emails for archival according to the email archival policy.
Responsibilities
- Information Security Management is responsible for maintaining this policy and advising generally on information security controls. Working in conjunction with other corporate functions, it is also responsible for running educational activities to raise awareness and understanding of the responsibilities identified in this policy.
- IT Department is responsible for building, configuring, operating and maintaining the corporate email facilities (including anti-spam, anti-malware and other email security controls) in accordance with this policy.
- IT Help/Service Desk is responsible for assisting users with secure use of email facilities, and acts as a focal point for reporting email security incidents.
- All relevant employees are responsible for complying with this and other corporate policies at all times. This policy also applies to third party employees acting in a similar capacity whether they are explicitly bound (e.g. by contractual terms and conditions) or implicitly bound (e.g. by generally held standards of acceptable behavior) to comply with our information security policies.
- Internal Audit is authorized to assess compliance with this and other corporate policies at any time.
Related policies, standards and guidelines
Item | Relevance |
---|---|
Information security policy manual | Defines the overarching set of information security controls reflecting ISO/IEC 27002, the international standard code of practice for information security management |
Email archival policy | Explains the rules regarding backups, archives and retrieval of important emails |
Email security guidelines, top tips etc. | General advice for email users, first released through the security awareness program in September 2007. Includes advice on email etiquette, avoiding phishing emails and virus-infected emails etc. |
Contacts
For further information about this policy or information security in general, contact the Information Security Manager. A variety of standards, procedures, guidelines and other materials supporting and expanding upon this and other information security policies are available in the organization’s Information Security Manual, on the corporate intranet and through the Information Security Manager. Local IT/information security contacts throughout the organization can also provide general guidance on the implementation of this policy - contact your line manager or the IT Help/Service Desk for advice.
Sources