E-mail policy
 
|
|||
 | |||
|
Sign up to receive this and other networking newsletters in your inbox.
These discussions of security policies have naturally led us up to the question of e-mail policies. My advice in this area is very simple and straightforward: Get one. It's not up to me to tell you what to say in your policy. You can be liberal or conservative; you can be invasive or protective. But you have to have a policy, because if you don't have an e-mail policy in your company, you'll be forever in limbo when the inevitable problems arise.
There are three main questions that any e-mail policy must answer:
1) What is e-mail appropriate for?
2) Who owns the e-mail?
3) When is your e-mail private and when is it not?
Again, it's not for me to tell you what the best policy is for your company. You have to match the organization's needs, style of doing business and any external factors (such as government regulation or sensitivity of the work being done) to your policy. But you must consider those three questions, and come up with answers in clear, unequivocal language. If you want to claim, for example, that there is no privacy in corporate e-mail (which is the de facto policy at some organizations), then simply say that: "no corporate e-mail is considered private." Don't beat around the bush --- that will just get you into trouble.
In addition to those three questions, there are some other things you probably want to tell people if they are appropriate for your organization. I'm not advocating any of these practices, but if you engage in them, full disclosure is a requirement.
1) We back up your e-mail, and we can look at your old e-mail.
2) We keep all e-mail, even e-mail you think you deleted. (This may be required by law, depending on what organization you work for.)
3) We randomly peek at e-mail (or perhaps we never randomly peek at e-mail).
4) Your supervisor can read your e-mail any time he or she wants (or perhaps your supervisor cannot).
And finally:
5) Remember, all mail that travels over the Internet should be considered completely public and should never contain unprotected sensitive information.
Once you put this policy together and get the appropriate people to sign off on it (your CEO is a good start, although you probably also want your CIO/CTO and CFO to be in on the party), then make sure that everyone who uses your e-mail system has a copy of this policy. Make them read it and sign it as part of getting an account (which is a good argument for making it short and sweet), and make sure that existing e-mail users all positively acknowledge that they've read the policy.
Next time: ECPA, the law of the land (at least in the US) with regard to e-mail privacy and confidentiality.
RELATED LINKS
Stuck between a rock and a hard place
Network World, 12/28/98
Network World Fusion Focus: Carving out an e-mail privacy policy
Network World, 7/7/98
Why you need an e-mail retention policy
Network World, 5/4/98
Archive of Network World on Groupware and Messaging newsletters
