Build Your Own: E-mail Usage Policy
1
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
Case Document
Build Your Own:
E-mail Usage POlicy
Why
an
E-mmail
Usage
Policy
is
important
E-mail is undoubtedly one of the greatest communication tools we have today. Employees, vendors, cus-
tomers, executives, and other corporate users have all benefited from the advancements made to e-mail over
the years. However, e-mail has also created many problems for IT professionals with the spread of viruses,
Spam, and worms. In addition, e-mail has spawned many lawsuits from users offended by the mail received
in their corporate inbox. While the law on Internet e-mail is still vague, the courts are clear about one thing—
employers that have an E-mail Usage Policy read and signed by employees can protect themselves from
many claims.
Typically, a company should develop an E-mail usage policy that is consistent with other communication
media such as fax or letter mail. While e-mail requires less effort to distribute than these more formal means
of communication, the company’s name still goes out on the header of the message. This company “sta-
tionery” makes it the responsibility of the company to ensure the intended recipients of employee’s e-mail are
not offended or damaged by the content.
In addition, an effective E-mail Usage Policy can help you maintain the integrity of your system against
viruses, and prevent lawsuits from violations of intellectual property, anti-spam laws, sexual harassment,
wrongful termination, and more.
A final area of concern is employee privacy. Many employees that have been dismissed for sending inappro-
priate e-mails have brought litigation claims against former employers for invasion of their privacy. A clearly
defined E-mail Usage Policy can mitigate the risk of liability. If employees have been properly trained on the
e-mail system and have signed the usage policy, then it will be difficult for them to claim they were not aware
of your capabilities for monitoring.
Build Your Own: e-mail Usage Policy
2
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy.
Please provide TechRepublic’s editors with feedback on what you found helpful in this
document, as well as anything you may not have found beneficial. Be sure to also let
our editors know if you feel a particularly important component or element has been
omitted that should be included. Feedback may be sent directly to the team develop-
ing this document at mailto:
This is an alpha version of TechRepublic’s Build Your Own E-mail Usage Policy. As
such, this specific IT policy addresses appropriate end user e-mail use. Please send
your suggestions for other IT policies or template topics you would find helpful to
TechRepublic editors directly at mailto:
Critical
E-mmail
Usage
Policy
elements
Introduction
An E-mail Usage Policy’s introduction should briefly explain the purpose for the policy as well as define a few
of the elements the company considers to be “e-mail”. For instance, e-mail may be defined as mail sent from
a MAPI client software package like Outlook, an instant messaging service, a peer-to-peer file exchange, or
some combination thereof.
A comparison to other forms of written communication and the company’s expectation of standards for e-
mail should be presented. Most E-mail Usage Policy introductions reinforce the stricter guidelines that e-mail
is a tool used only for business communications, but some leave open the possibility of personal use if the
company’s culture desires it. The introduction should also clearly state that e-mail exchanged on its systems
is considered the property of the company, which gives it the right to monitor accounts for policy compliance.
Guidelines for authorized use
Acceptable use of e-mail should be clearly defined. If your organization permits reasonable personal use, the
policy should clearly state such use must not interfere with the performance of work responsibilities. The fol-
lowing are other guidelines typically seen in e-mail usage policies in the authorized use section:
z Subscribing to distribution lists and other forms of e-mail subscription services related to your job function
is allowed. If the service does not pertain to your job function, seek manager approval before signing up.
z Passwords are your best defense against unauthorized use of your e-mail account. Do not compromise
your account by giving it to others or displaying it in public view.
z The encryption of e-mail is not necessary for most situations, but all confidential messages should contain
some form of encoding. If in doubt, contact your manager.
z Users should take care in addressing messages so it reaches the appropriate recipient. Also, spelling and
grammar should be checked by the e-mail client before sending the message.
z Long term message retention is important only if it is relevant for business or legal purposes. If you desire
to keep less important messages for longer than X days, please archive the e-mail to your allotted server
storage space. The e-mail system is designed to delete messages older than X number of days.
z Avoid sending company- or department-wide messages. E-mail “blasting” can cause a system to slow
down and affect performance. If you have a company- or department-wide message to deliver, first send it
to a user who has access to the “all company” e-mail grouping.
z Large e-mail attachments can drastically slow system performance. Attachments that exceed X MB in size
will be removed by the server and not sent.
Prohibited use of e-mail
An E-mail Usage Policy should clearly state what is not allowed on the system. While some items are obvi-
ous, you should try to list as many offences as possible to make the policy more enforceable should the need
arise. The following are just a sample of prohibited activities you should consider when creating your policy:
z Creating or exchanging offensive or obscene messages of any kind, including pornographic material
z Sending e-mail that promotes discrimination on the basis of race, gender, national origin, age, marital
status, sexual orientation, religion, or disability
z Sending e-mail that contains a threatening or violent message
z Exchanging proprietary information, trade secrets, or other confidential information with anyone not
affiliated with the company
z Creating, forwarding, or exchanging spam, chain letters, solicitations, or advertising
z Creating, storing, or exchanging e-mail that violates material protected under copyright laws
Build Your Own: E-mail Usage Policy
3
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
z Distributing corporate data to the organization’s
customers or clients without proper authorization
z Altering a message from other users without their
permission
z Opening e-mail without performing a virus scan.
z Improperly using someone else’s e-mail account
as your own without permission
Factors affecting productivity
It is imperative that users understand how sending e-
mail to large distribution groups can overload a sys-
tem. Many recipients do not need the e-mail and it
can get in the way of other more important mes-
sages. Attachments are another big concern for IT
professionals, as the MB size continues to grow and
user inboxes fill with unneeded files. One way to
combat attachment broadcasting is to centralize stor-
age with space on an Intranet Web site that users
can provide links to in their e-mail messages.
Following the guidelines set forth in the E-mail
Usage Policy will help users understand the impor-
tance of sending well defined e-mails. Perhaps
nowhere is this clarification more apparent than the
subject line. Message handling is vastly improved
when subject lines are to the point and encompass
the major thrust of the e-mail message. This will
ensure the message is not discarded before being
read and will be easier to sort.
Security
E-mail is the easiest method for hackers to distribute
viruses, worms, and other forms of malicious soft-
ware. Defending against these attacks is a major part
of any IT professional’s job. Thus, the security sec-
tion of the E-mail Usage Policy can go a long way to
defining how restrictive an organization is with its e-
mail service. The company may wish to limit e-mail
accounts only to individuals whose job descriptions
require a legitimate business use. Others may define
a more liberal account structure, yet monitor usage
and deal with problem accounts according to the E-
mail Usage Policy.
Privacy
E-mail Usage Policies should ensure users maintain
no expectation of privacy while using company-
owned or company-leased equipment. Further, the
policy should make it clear that information passing
through or stored on company equipment can and
will be monitored. Users should also know the organi-
zation maintains the right to monitor and review e-
mail communications sent or received by users as
necessary and that such communications should not
be considered private or secure.
Violation penalties
E-mail Usage Policies must clearly state the conse-
quences of improper use, which typically range from
loss of e-mail account privileges to termination.
Policies should state how violations will be
reviewed, such as on a case-by-case basis or on an
every-case basis. Policies should also describe the
events that will trigger when a violation occurs.
For example, a policy’s Violations section might
read as follows:
Violations will be reviewed on a case-by-case basis.
If it is determined that a user has violated one or
more use regulations, that user will receive a repri-
mand from his or her supervisor and his or her future
use will be closely monitored. If a gross violation has
occurred, management will take immediate action.
Such action may result in losing e-mail account privi-
leges, severe reprimand, or termination of employ-
ment.
Reporting
When violations occur, appropriate IT department
staff and the offender’s managing supervisor should
be formally notified. Depending upon your organiza-
tion, it may be appropriate to copy Human Resources
personnel on all messaging related to the violation.
And, if the organization monitors employee e-mail
use, mail server log files should be saved as backup.
IT staff should take care when reviewing monitored
communications to ensure employees are aware e-
mail use is being monitored. IT staff should monitor
users’ e-mail use only insofar as is required to sup-
port operational, maintenance, auditing, security, and
investigative activities. Users should be told that IT
staff may review individual employee’s communica-
tions during the course of resolving a problem, but IT
staff should be encouraged not to review specific
employees’ e-mail habits out of personal curiosity or
at the behest of individuals who have not received
proper approval to monitor employee e-mail use.
Build Your Own: e-mail Usage Policy
4
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.
Organizational readiness
An E-mail Usage Policy will fail to curtail inappropriate e-mail use if the policy is not rolled out properly or
enforced. Employees should be required to sign a personal copy of the E-mail Usage Policy and state that
they have read and understood the policy.
E-mail Usage Policies must be enforced to be effective. Violation reports must be followed up professionally,
and offenders must be dealt with according to the policy’s direction.
Length and language
There is no requirement that an E-mail Usage Policy be lengthy, contain legal jargon, or use excessive word-
ing. You are likely to be best served by clearly communicating which e-mail activities are acceptable, which
are not, and what the penalties of noncompliance are succinctly and in language users understand.
Lack of enforcement
Users will catch on quickly when an E-mail Usage Policy is not enforced. Here IT staff members can lead by
example by ensuring they refrain from using the organization’s systems to check e-mail in order to perform
non-business related activities.
When violations are discovered, the IT staff should work professionally with the offender, the offender’s
supervising manager, and a Human Resources representative to ensure situations are resolved quickly.
Important items
When preparing an E-mail Usage Policy, your organization needs to make difficult decisions regarding which
e-mail activities are acceptable and which are prohibited. Tough decisions must also be made when determin-
ing the penalties for violations.
Ensure your IT department and Human Resources staff agrees on the policy’s terms, especially for the fol-
lowing items:
z Specific examples of acceptable e-mail usage
z Specific examples of unacceptable e-mail usage
z Penalties for first-time offenders
z Penalties for repeat offenders
Build
Your
Own
E-mmail
Usage
Policy
To begin customizing the alpha version of TechRepublic’s Build Your Own E-mail Usage
Policy, open the Excel spreadsheet included in the zip file with this case document.
Build Your Own: E-mail Usage Policy
5
© 1995-2005 CNET Networks, Inc. All rights reserved. “TechRepublic” and its logo are trademarks of CNET Networks, Inc. Reproduction of this publication in any form is prohibited.