Just as Internet access must be managed to protect against
lost productivity, security breaches and improper use, so too must e-mail use
be carefully administered. E-mail
policies protect against unauthorized data access and distribution, the
introduction of dangerous viruses and other security threats and lost
productivity. Without effective e-mail policies, self-replicating viruses could
easily slow network traffic to a halt, Trojan horses could jeopardize sensitive
data and the organization could even become liable should an employee use
organization-provided e-mail to send harassing or offensive messages to others
(both inside and outside the organization).

Dangers are well documented

Entire books
have been written that provide guidance for avoiding lawsuits that could arise
from improper e-mail use. E-mail’s been
shown to present “serious operational and financial risk to the global
banking industry,” among others, according to a report
authored by the Gartner analyst group. Renowned zoologist Jane Goodall even labeled
e-mail “the most dangerous form of communication.”

Is e-mail getting a bad rap? Certainly, used improperly,
e-mail messaging poses threats that cannot be ignored. But with a combination
of technological protections (server-based antivirus, group policies that
prevent end users from triggering executable e-mail attachments, etc.) and an
enforced e-mail use policy, organizations can mitigate the risks while
leveraging e-mail’s benefits.

Start with technology

Users should already be precluded from downloading and
installing malicious and/or time-wasting files on your network. Leverage
server-based antivirus and antispam controls to eliminate threats before they
even make their way to end users’ desktops. Effective server management and
proper filter maintenance help ensure phishing attempts are minimized and users
remain free to use e-mail as intended: solely for the fulfillment of job

In addition to deploying software-based group, system and
local policies, network monitoring software should be implemented to help
identify potential threats. Using firewalls or Microsoft’s Internet Security
and Acceleration Server to block access to popular third party e-mail services,
such as Gmail, Hotmail and Yahoo Mail, can further decrease your organization’s

Finish with a policy

Technology solutions, however, aren’t foolproof. End users
will occasionally (intentionally or not) circumvent your network’s security
initiatives. It’s very difficult to block every conceivable Web-based e-mail
site, and some are bound to be missed.

Introduce umbrella coverage by implementing an E-mail Use
Policy. By clearly describing what behaviors constitute acceptable use of
organization-provided computers, networks, systems and e-mail accounts, and by
stating the penalties that result from policy violations, the organization can
eliminate remaining risks.

Even if the organization’s firewall fails to block a third-party e-mail site,
and should a server-based application fail to remove a new e-mail borne virus,
having a policy in place that prohibits executing files received via e-mail can
prevent a new outbreak. Further, policies can stop employees from using
organization-provided e-mail systems and accounts for personal use; no longer
must your organization foot the bill for a marketing representative’s side eBay
business or an accountant’s inclination to forward chain e-mail messages.

TechRepublic’s E-mail Use Vulnerability Assessment can help
gauge your organization’s policy needs. The interactive Microsoft Excel
spreadsheet lists several criteria you rank based on your organization’s
specific situation. The tool returns a vulnerability score you can use as a
more objective measure in determining whether a policy is warranted within your
organization. Plus, the spreadsheet helps provide justification to end users
when rolling out such a policy.

Should a policy be required, review TechRepublic’s E-mail
Use Policy. The ready-made template can be used as-is. Or, you can customize
the pre-prepared policy to address your organization’s specific needs.

However you build it, be sure your organization’s e-mail use
policy addresses all of the following:

  • Descriptions
    of what constitutes acceptable use of organization-provided computers,
    networks, systems and e-mail accounts
  • Prohibitions
    against using organization computers, systems and/or networks to access
    personal e-mail accounts and/or sites
  • Prohibitions
    against using organization-provided e-mail accounts to send harassing and/or
    offensive messages
  • An
    acknowledgement from the employee that they’ve read the policy and agree
    to its terms
  • The penalties associated with violations

Drafting and distributing the policy doesn’t complete the
process. It’s critical that Information Technology departments enforce the
policy. Without monitoring and enforcement, the effort becomes nothing more
than a futile paper exercise.

For more on implementing effective policies, review the
following TechRepublic articles: Use
a policy audit to ensure that your policies are followed
, Learn
how to win support for your new IT policy
and Creating
an IT policy that works

Add the following blurb highlighted at the end including a link to 6071339

You can quickly implement an email usage policy in your organization by
downloading TechRepublic’s Email Usage Policy. Included you’ll find a
risk assessment spreadsheet that will help you determine the importance
of such a policy to your organization’s security along with a basic
policy that you can use and modify. You can purchase it from the
TechRepublic Catalog or download it for free as part of your
TechRepublic Pro membership.