Security policies become a foundation for an information security management system. Management can decide exactly what constitutes breach of information security and lay ground rules, by which employees have to abide. The employees also have a ready reference point to look up the organization’s policy on certain issues. Most importantly, these policies need to be collated and cohesive, making sure there are no conflicting policies.
It is important to have a comprehensive set of policies and procedures, which can be applied across the organization. The manual should also typically include department-specific security policies; for instance, the IT department has more leeway than members of the housekeeping department.
Components of a Security Manual
There are many components of an email security policy and procedure manual, and few of the most common heads are listed here:
- Authorized Usage – As a corollary to the previous point, the use of office resources for personal reasons, whether time or network, is considered unauthorized usage. Many organizations do not enforce this point to the letter, although each individual is expected to act in a responsible manner. Personal work can be done so long as the resources utilized do not restrict the organizational work, nor consume too many resources. The use of company resources to conduct other business activities is severely prohibited.
- Client privacy – Emails containing client information are to be treated with the same level of security as data stored within the organization. Under no circumstances is client information to be distributed to any outside parties.
- Deletions of emails – Messages that are older than a stipulated time are usually purged from systems to avoid unnecessary utilization of resources. If there are legal proceedings underway, all electronic communication pertaining to those proceedings need to be retained till the issues are resolved permanently.
- Employee email privacy – Since all electronic communication is considered the property of the organization, there is never any guarantee that employee emails will not be scrutinized periodically. Employee email privacy is not guaranteed under any circumstances.
- Forwarding of messages and spam – Most organizations frown on mass mail forwarding, as it is considered spam. Employees are expected to exercise responsibility and circumspection when assessing which messages are appropriate for several recipients.
- Incidental Disclosure – In the event a situation arises, it may be necessary to examine the contents of employee communication, in the course of resolution of issues.
- Property of the organization – Usually an enterprise lays claim to all email and other means of electronic communication as their property; that means the employee cannot treat emails generated during office hours or using company facilities as their own, even if they are personal messages. Therefore the use of personal emails is heavily discouraged.
- Responsibility and accountability – An employee will be held liable for any loss incurred by the company if adequate security measures are not followed. For example, sharing of passwords cannot be done without prior knowledge and express approval of the management. Although users may not be held accountable if there is a security attack, they are expected to follow password policies to deter such attacks.
An email security policy and procedure manual is put in place to set limits on the use of not only email on office machines, but also emails on computers brought into the workplace, mobile phones, and computers used by employees outside the organization for work. By using these systems, employees agree to comply with the policies laid out in the manual, as it outlines specific instructions on the ways to use email securely and responsibly.