Just as Internet access must be managed to protect against lost productivity, security breaches and improper use, so too must e-mail use be carefully administered. E-mail policies protect against unauthorized data access and distribution, the introduction of dangerous viruses and other security threats and lost productivity. Without effective e-mail policies, self-replicating viruses could easily slow network traffic to a halt, Trojan horses could jeopardize sensitive data and the organization could even become liable should an employee use organization-provided e-mail to send harassing or offensive messages to others (both inside and outside the organization).

Dangers are well documented

Entire books have been written that provide guidance for avoiding lawsuits that could arise from improper e-mail use. E-mail's been shown to present "serious operational and financial risk to the global banking industry," among others, according to a report authored by the Gartner analyst group. Renowned zoologist Jane Goodall even labeled e-mail "the most dangerous form of communication."

Is e-mail getting a bad rap? Certainly, used improperly, e-mail messaging poses threats that cannot be ignored. But with a combination of technological protections (server-based antivirus, group policies that prevent end users from triggering executable e-mail attachments, etc.) and an enforced e-mail use policy, organizations can mitigate the risks while leveraging e-mail's benefits.

Start with technology

Users should already be precluded from downloading and installing malicious and/or time-wasting files on your network. Leverage server-based antivirus and antispam controls to eliminate threats before they even make their way to end users' desktops. Effective server management and proper filter maintenance help ensure phishing attempts are minimized and users remain free to use e-mail as intended: solely for the fulfillment of job responsibilities.

In addition to deploying software-based group, system and local policies, network monitoring software should be implemented to help identify potential threats. Using firewalls or Microsoft's Internet Security and Acceleration Server to block access to popular third party e-mail services, such as Gmail, Hotmail and Yahoo Mail, can further decrease your organization's risks.

Finish with a policy

Technology solutions, however, aren't foolproof. End users will occasionally (intentionally or not) circumvent your network's security initiatives. It's very difficult to block every conceivable Web-based e-mail site, and some are bound to be missed.

Introduce umbrella coverage by implementing an E-mail Use Policy. By clearly describing what behaviors constitute acceptable use of organization-provided computers, networks, systems and e-mail accounts, and by stating the penalties that result from policy violations, the organization can eliminate remaining risks.

Even if the organization's firewall fails to block a third-party e-mail site, and should a server-based application fail to remove a new e-mail borne virus, having a policy in place that prohibits executing files received via e-mail can prevent a new outbreak. Further, policies can stop employees from using organization-provided e-mail systems and accounts for personal use; no longer must your organization foot the bill for a marketing representative's side eBay business or an accountant's inclination to forward chain e-mail messages.

TechRepublic's E-mail Use Vulnerability Assessment can help gauge your organization's policy needs. The interactive Microsoft Excel spreadsheet lists several criteria you rank based on your organization's specific situation. The tool returns a vulnerability score you can use as a more objective measure in determining whether a policy is warranted within your organization. Plus, the spreadsheet helps provide justification to end users when rolling out such a policy.

Should a policy be required, review TechRepublic's E-mail Use Policy. The ready-made template can be used as-is. Or, you can customize the pre-prepared policy to address your organization's specific needs.

However you build it, be sure your organization's e-mail use policy addresses all of the following:

• Descriptions of what constitutes acceptable use of organization-provided computers, networks, systems and e-mail accounts
• Prohibitions against using organization computers, systems and/or networks to access personal e-mail accounts and/or sites
• Prohibitions against using organization-provided e-mail accounts to send harassing and/or offensive messages
• An acknowledgement from the employee that they've read the policy and agree to its terms
• The penalties associated with violations

Drafting and distributing the policy doesn't complete the process. It's critical that Information Technology departments enforce the policy. Without monitoring and enforcement, the effort becomes nothing more than a futile paper exercise.

For more on implementing effective policies, review the following TechRepublic articles: Use a policy audit to ensure that your policies are followed, Learn how to win support for your new IT policy and Creating an IT policy that works.

Add the following blurb highlighted at the end including a link to 6071339 You can quickly implement an email usage policy in your organization by downloading TechRepublic's Email Usage Policy. Included you'll find a risk assessment spreadsheet that will help you determine the importance of such a policy to your organization's security along with a basic policy that you can use and modify. You can purchase it from the TechRepublic Catalog or download it for free as part of your TechRepublic Pro membership.