We all know that email is an indispensible tool for business communication, but it's not without risk. If misused, email has the potential to damage key business interests in multiple ways. But, much like policies used for data security, email "policy" offers a way to minimize these varied risks and protect related interests. Read on to learn how it works.
Start with a Review of Risks and Rewards
Email is a fast, easy and readily accessible means of business communication. It has changed the way we communicate. These are the obvious rewards - but they are also the basis of every risk. Whenever email content is ill-advised, inappropriate, or even gets into the wrong hands, negative consequences can follow, including legal liability, regulatory penalties, confidentiality breaches, damage to corporate reputation, public embarrassment, internal conflicts, and all the related losses in productivity and performance that these circumstances can cause. Further, data loss and damage to technology assets can be realized through the transmission of malicious code, spam and computer viruses.
Perform the "What-if" Analysis: What are the risks to my organization of email abuse and/or misuse, and what are the likely consequences if these risks are not properly addressed? The next step is to weigh the costs and complications of all mitigating actions, and to then strike an appropriate balance between risk and probability.
To eliminate email usage is impractical and even unthinkable - so the goal has to be to minimize the risks through the best means possible - and that is through the use of physical security precautions and practical, relevant and enforceable email policy. To realize all of the intended goals and objectives, related policies (which will integrate closely with data security and internet usage policies) must encompass four (4) key governance needs:
- Email Usage: To determine the circumstances under which email can and will be used within a given organization, whether there will be any limits and/or restrictions on the types of information that can be transmitted via email, as well as any limits and/or restrictions on the use of business email systems for personal communications.
- Email Oversight: To establish that emails are official company records and to determine the manner in which email usage will be monitored and controlled, including the "ownership" of email content transmitted on business email systems.
- Email Etiquette: To establish formatting, content and usage guidelines designed to minimize the risk that email content will be deemed unprofessional, offensive, inappropriate or subject to ridicule and criticism.
- Email Management: To establish and implement appropriate technical controls to limit the risks of inbound email spam, virus and malicious code, and to establish automated procedures for email backup, storage and retention.
As a whole, usage, oversight, etiquette and management parameters must be combined to formulate "policy" that is aligned with business and technical needs, realistic considering actual communication needs, and enforceable considering corporate culture and related technical abilities.
Learn to Fast Track
If you like our ITtoolkit.com articles, you'll love our easy online training courses. We teach you how to use our unique 'fast track management' approach for projects, committees and I.T. services. Our courses are self paced, and include lessons, videos and templates! And you can start for free! Get Started Now
Key Questions for Policy Scope and Content
To ensure that all usage, oversight, etiquette and management needs can be met, adopted email policies must be designed according to anticipated email usage, corporate culture, characteristics, business requirements, legal requirements, technical requirements and internal capabilities for enforcement. The list below provides a head start for policy planning, listing the key questions to be considered and addressed as part of the policy development process:
- Policy Purpose
- What are the specific goals of this email policy?
- Why has the policy been created (considering the background events leading to policy development)?
- What will the policy accomplish considering email usage, access, etiquette and management goals and objectives?
- Policy Basis
- What is the underlying authority and/or organizational basis for this email policy (considering internal guidelines and/or external regulatory requirements)?
- Do you have sufficient executive support to sufficiently enforce compliance with all of the policy provisions?
- Policy Scope
- What are the organizational targets of the policy considering company-wide applicability, division specific application, departmental application or location specific application?
- Policy Stakeholders
- Who are the policy stakeholders considering both individuals and groups who have a vested interest in the policy and ability to influence the outcome?
- What are the specific roles and responsibilities required to implement, administer and enforce all policy terms, including all stated compliance obligations?
- Email Management
- What are the means and methods to be utilized to manage and secure all email systems considering access, standards for email addresses, restrictions on attachment size, remote access, spam and junk mail limitations and related management controls?
- Compliance and Enforcement Guidelines
- What are established guidelines for email policy compliance?
- Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are the terms under which exceptions and/or waivers will be granted?
- How will compliance be enforced and what are the consequences for a failure to comply?
- How will employees be provided with training relating to email policy compliance?
- What types of auditing procedures will be used to monitor and promote email policy compliance?
Institutionalize Email Etiquette
Many of the goals and objectives of email policies can be achieved through the use of physical controls on email access, particularly limitations on inbound junk mail and spam. On the other side, email etiquette is far more difficult to implement and enforce, but it is no less valuable towards achieving the ultimate policy goal - to maximize the value of email communication and minimize the risk. While etiquette guidelines can become quite extensive, at a minimum, every effective email policy should incorporate the following parameters:
- Tone: Email content should always be professional, courteous and respectful. Appropriate greetings, salutations and sign-offs should always be used. Just as shouting or abusive language is not to be tolerated in the workplace, neither should "all caps", excessive exclamation points or other indicators of anger be allowed in email communications.
- Quality: Email content should reflect appropriate formality in communication, avoiding spelling errors and using proper grammar and punctuation. Subjects should be relevant to the message contained, avoiding tacking new subjects on to other lengthy email threads.
- Clarity: Email recipients should be aware of their place and role in a given message and communication thread. A "to" is different than a "cc" (and certainly a blind cc). Individuals who are cc'd on a message should not respond as if they were the designated recipient - this only leads to confusion and miscommunication.
- Concern: Email should always be given the respect it deserves. End-users should be encouraged to never send email communications in anger and to always protect the email addresses of others when appropriate.
Tips to Remember: Every email policy should be implemented and enforced consistently (avoiding selective enforcement), with specified steps to monitor compliance. It's also important to remember that if compliance should prove lacking, policy terms should be reviewed to ensure that the fault does not lie in the policy itself. Realistic policies, that are suitably relevant to business needs and properly communicated should garner significant compliance. In the end, policy promotion and end-user training will be essential to realize required benefits.
THE IT SERVICE STRATEGY TOOLKIT
If you're looking for a fast, easy way to achieve IT service success, you'll find it inside the IT Service Strategy Toolkit. This unique, informative online course gives you everything you need to become an IT management leader and service planning expert. Here's what you'll learn:
The I.T. Service Strategy Toolkit is an easy, engaging online course, containing over 50+ education components, teaching you how to use the multi-stage 'Service Strategy Process' to organize the I.T. service function and deliver value-added I.T. services.
Topics covered include developing the IT mission, organizing the IT service department, planning IT management policies, managing the IT/end-user service relationship, performing the IT service review, and more.
Techniques covered include 'Define, Align and Approve', the 'Manage by Process Framework', the IT/End User Partnership, Proactive Problem Management and more.
Download the tools and templates to produce the I.T. Vision Statement and multiple Service Review deliverables.
Build and improve strategic planning skills, as you learn time-saving techniques to become a more productive IT manager or service professional.
Course enrollment provides lifetime access to all components, with all future updates and additions included.
Source: Unless noted otherwise, all content is created by and/or for ITtoolkit.com
ITtoolkit.com staff writers have experience working for some of the largest corporations, in various positions including marketing, systems engineering, help desk support, web and application development, and IT management.
ITtoolkit.com is part of Right Track Associates, proprietors and publishers of multiple web sites including ITtoolkit.com, Fast Track Manage, HOA Board List and more. We started ITtoolkit.com in 2001 and have continued to grow our web site portfolio, Toolkit products, and related data services. To learn more, visit us at Right Track Associates.