We all know that email is an indispensible tool for
business communication, but it’s not without risk.  If
misused, email has the potential to damage key business interests in
multiple ways.  But, much like
policies used for data security, email “policy” offers a way to minimize
these varied risks and protect related interests.  Read on to learn how it works.

Start with a Review of Risks and Rewards

Email is a fast, easy and readily accessible means of business
communication.  It has changed the way we communicate. 
These are the obvious rewards – but they are also the basis of every
risk.  Whenever email content is ill-advised, inappropriate, or
even gets into the wrong hands, negative consequences can follow,
including legal liability, regulatory penalties, confidentiality
breaches, damage to corporate reputation, public embarrassment,
internal conflicts, and all the related losses in productivity and
performance that these circumstances can cause.  Further, data
loss and damage to technology assets can be realized through the
transmission of malicious code, spam and computer viruses.

Perform the “What-if” Analysis: What are the risks to my organization of
email abuse and/or misuse, and what are the likely consequences if these risks are not properly
addressed? The next step is to weigh the costs and complications of
all mitigating actions, and to then strike an appropriate balance between risk and probability.

To eliminate email usage is impractical and even unthinkable – so
the goal has to be to minimize the risks through the best means
possible – and that is through the use of physical security
precautions and practical, relevant and
enforceable email policy.  To realize all of the
intended goals and objectives, related policies (which will
integrate closely with data security and internet usage policies) must encompass four (4) key
governance needs:

1. Email Usage:  To determine the
   circumstances under which email can and will be used within a
   given organization, whether there will be any limits and/or
   restrictions on the types of information that can be transmitted
   via email, as well as any limits and/or restrictions on the use
   of business email systems for personal communications.
2. Email Oversight:  To establish that
   emails are official company records and to determine the manner
   in which email usage will be monitored and controlled, including
   the “ownership” of email content transmitted on business email
   systems.
3. Email Etiquette:  To establish
   formatting, content and usage
   guidelines designed to minimize the risk that email content will
   be deemed unprofessional, offensive, inappropriate or subject to ridicule and
   criticism.
4. Email Management:  To establish and
   implement appropriate technical controls to limit the risks of
   inbound email spam, virus and malicious code, and to establish
   automated procedures for email backup, storage and retention.

As a whole, usage, oversight, etiquette and management parameters must be
combined to formulate “policy” that is aligned with business and technical needs,
realistic considering
actual communication needs, and enforceable considering corporate culture
and related technical abilities.

---

---

Key Questions for Policy Scope and Content

To ensure that all usage, oversight, etiquette and management
needs can be met, adopted email policies must be designed according to anticipated
email usage, corporate culture, characteristics, business
requirements, legal requirements, technical requirements and
internal capabilities for enforcement.  The list below provides
a head start for policy planning, listing the key questions to
be considered and addressed as part of the policy development
process:

• Policy Purpose
  • What are the specific goals of this email
    policy?
  • Why has the policy been created (considering the
    background events leading to policy development)?
  • What will the policy accomplish considering email usage,
    access, etiquette and management goals and objectives?
• Policy Basis
  • What is the underlying authority and/or organizational
    basis for this email policy (considering internal
    guidelines and/or external regulatory requirements)?
  • Do you have sufficient executive support to sufficiently
    enforce compliance with all of the policy provisions?
• Policy Scope
  • What are the organizational targets of the
    policy considering company-wide applicability, division
    specific application, departmental application or location
    specific application?
• Policy Stakeholders
  • Who are the policy stakeholders considering both
    individuals and groups who have a vested interest in the
    policy and ability to influence the outcome?
  • What are the specific roles and responsibilities
    required to implement, administer and enforce all policy terms,
    including all stated compliance obligations?
• Email Management
  • What are the means and methods to be utilized to manage
    and secure all email systems considering access, 
    standards for email addresses, restrictions on attachment
    size, remote access, spam and junk mail limitations and
    related management controls?
• Compliance and Enforcement Guidelines
  • What are established guidelines for email policy
    compliance?
  • Will there be any exceptions and/or waivers with regard
    to policy compliance?  If so, what are the terms under
    which exceptions and/or waivers will be granted?
  • How will compliance be enforced and what are the
    consequences for a failure to comply?
  • How will employees be provided with training relating to
    email policy compliance?
  • What types of auditing procedures will be used to
    monitor and promote email policy compliance?

Institutionalize Email Etiquette

Many of the goals and objectives of email policies can be
achieved through the use of physical controls on email access,
particularly limitations on inbound junk mail and spam.  On the
other side, email etiquette is far more difficult to implement and
enforce, but it is no less valuable towards achieving the ultimate
policy goal – to maximize the value of email communication and
minimize the risk.  While etiquette guidelines can become quite
extensive, at a minimum, every effective email policy should
incorporate the following parameters:

1. Tone:  Email content should always be
   professional, courteous and respectful.  Appropriate
   greetings, salutations and sign-offs should always be used. 
   Just as shouting or abusive language is not to be tolerated in
   the workplace, neither should “all caps”, excessive exclamation
   points or other indicators of anger be allowed in email
   communications.
2. Quality:  Email content should reflect
   appropriate formality in communication, avoiding spelling errors
   and using proper grammar and punctuation.  Subjects should
   be relevant to the message contained, avoiding tacking new
   subjects on to other lengthy email threads.
3. Clarity:  Email recipients should be
   aware of their place and role in a given message and
   communication thread.  A “to” is different than a “cc” (and
   certainly a blind cc).  Individuals who are cc’d on a
   message should not respond as if they were the designated
   recipient – this only leads to confusion and miscommunication.
4. Concern:  Email should always be given
   the respect it deserves.  End-users should be encouraged to
   never send email communications in anger and to always protect
   the email addresses of others when appropriate.

Tips to Remember:  Every email policy should be
implemented and enforced consistently (avoiding selective
enforcement), with specified steps to monitor compliance.  It’s
also important to remember that if compliance should prove lacking,
policy terms should be reviewed to ensure that the fault does not
lie in the policy itself.  Realistic policies, that are
suitably relevant to business needs and properly communicated should
garner significant compliance.  In the end, policy promotion
and end-user training will be essential to realize required
benefits.

---

THE IT SERVICE STRATEGY TOOLKIT

If you’re looking for a fast, easy way to achieve IT service success, you’ll find it inside
the IT Service Strategy Toolkit. This unique, informative online course gives you everything you need to become
an IT management leader and service planning expert. Here’s what you’ll learn:

• The I.T. Service Strategy Toolkit is an easy, engaging online course, containing over 50+
  education components, teaching you how to use the multi-stage ‘Service Strategy Process’ to organize the I.T. service function and deliver value-added I.T. services.

• Topics covered include developing the IT mission, organizing the IT service department, planning IT management policies, managing the IT/end-user service relationship, performing the IT service review, and more.

• Techniques covered include ‘Define, Align and Approve’, the ‘Manage by Process Framework’, the IT/End User Partnership, Proactive Problem Management and more.

• Download the tools and templates to produce the I.T. Vision Statement and multiple Service Review deliverables.

• Build and improve strategic planning skills, as you learn time-saving techniques to become a more productive IT manager or service professional.

• Course enrollment provides lifetime access to all components, with all future updates and additions included.