Creating an Effective Email Policy Central Missouri Chapter Jesse Wilkins April 16, 2009

ELEMENTS OF AN EMAIL POLICY

Email policy Critical requirement for effective governance Provides broad policy statements Should be included in broader communications or IT policy Lots of references and examples available

Critical requirement for effective

governance

Provides broad policy statements

Should be included in broader communications or IT policy

Lots of references and

examples available

Email policy elements Every organization’s email policy will be different Public vs. private sector Regulatory requirements, both horizontal and vertical There are some common areas that should be addressed

Every organization’s email policy will be different

Public vs. private sector

Regulatory requirements, both horizontal and vertical

There are some common areas that should be addressed

Policy elements Purpose Scope Definitions Policy statements Procedures Responsibilities References

Purpose

Scope

Definitions

Policy statements

Procedures

Responsibilities

References

Purpose and scope This policy has three purposes: Establish definitions relevant to the email management program Describe usage policies relating to email Describe security and technology policies relating to email Scope: This policy is applicable to the entire enterprise.

This policy has three purposes:

Establish definitions relevant to the email management program

Describe usage policies relating to email

Describe security and technology policies relating to email

Scope: This policy is applicable to the entire enterprise.

Definitions Uncommon terms Common terms used in an uncommon fashion Acronyms and abbreviations

Uncommon terms

Common terms used in an uncommon fashion

Acronyms and abbreviations

Acceptable usage Most common element of email policies today Typically addresses things NOT to do: Obscene language or sexual content Jokes, chain letters, business solicitation Racial, ethnic, religious, or other slurs May address signature blocks Standardization, URLs, pictures

Most common element of email policies today

Typically addresses things NOT to do:

Obscene language or sexual content

Jokes, chain letters, business solicitation

Racial, ethnic, religious, or other slurs

May address signature blocks

Standardization, URLs, pictures

Effective usage Guidance on writing emails Wording and punctuation Spell check and grammar check Effective subject lines Guidance on email etiquette Guidance on addressees

Guidance on writing emails

Wording and punctuation

Spell check and grammar check

Effective subject lines

Guidance on email etiquette

Guidance on addressees

Personal usage Whether personal usage is allowed Any limitations to personal usage Separation of personal and business usage within individual messages Personal email account access

Whether personal usage is allowed

Any limitations to personal usage

Separation of personal and business usage within individual messages

Personal email account access

Ownership and stewardship Whether email is considered to be owned by the organization Responsibility for stewardship of messages, both sent and received Privacy and monitoring Third-party access

Whether email is considered to be owned by the organization

Responsibility for stewardship of messages, both sent and received

Privacy and monitoring

Third-party access

Retention and disposition Email is a medium, not a record type or series Email messages can be records Subject to open records/FOIA, discovery, etc. Other information objects can be records Calendars Read receipts/bounces

Email is a medium, not a record type or series

Email messages can be records

Subject to open records/FOIA, discovery, etc.

Other information objects can be records

Calendars

Read receipts/bounces

Legal issues Email can be subject to discovery Assigns responsibility for communicating legal holds Describes whether or not email disclaimers will be used and how May outline privilege issues

Email can be subject to discovery

Assigns responsibility for communicating legal holds

Describes whether or not email disclaimers will be used and how

May outline privilege issues

Encryption and digital signatures Outlines whether encryption is allowed What approaches available for encryption Whether digital signatures are allowed What approaches to use

Outlines whether encryption is allowed

What approaches available for encryption

Whether digital signatures are allowed

What approaches to use

Mobile and remote email Most often found as part of general policies for remote workers Requirements for mobile devices Requirements for web-based access Synchronization and login requirements

Most often found as part of general policies for remote workers

Requirements for mobile

devices

Requirements for web-based

access

Synchronization and

login requirements

Archival Addresses whether email will be archived Addresses whether personal archives will be allowed May address backups – but backups are not archives

Addresses whether email will be archived

Addresses whether personal archives will be allowed

May address backups – but backups are not archives

Security Attachment limitations Whether they can be sent at all Size limitations Content type limitations Attachments vs. links Content filtering Encryption and DRM

Attachment limitations

Whether they can be

sent at all

Size limitations

Content type limitations

Attachments vs. links

Content filtering

Encryption and DRM

Procedures Detailed instructions for complying with policies Each of the policy statements will have one or more procedures May be specific to process, business unit, jurisdiction, application

Detailed instructions for complying with policies

Each of the policy statements will have one or more procedures

May be specific to process, business unit, jurisdiction, application

Responsibilities Responsibilities for policy development and maintenance Responsibilities for compliance with policy Managers Users Specialist staff

Responsibilities for policy development and maintenance

Responsibilities for compliance with policy

Managers

Users

Specialist staff

References List any references used to develop the policy Internal strategic documents Records program governance instruments Publications

List any references used to develop the policy

Internal strategic documents

Records program governance instruments

Publications

DEVELOPING THE EMAIL POLICY

The policy framework Approach to developing and implementing a policy Ensures that policy development is consistent with organizational goals Ensures that policy meets legal and regulatory requirements

Approach to developing and implementing a policy

Ensures that policy development is consistent with organizational goals

Ensures that policy meets legal and regulatory requirements

1. Get management support Policy development requires time and energy from users and stakeholders So does policy implementation Ongoing compliance will require auditing and communication None of this happens without management support

Policy development requires time and energy from users and stakeholders

So does policy implementation

Ongoing compliance will require

auditing and communication

None of this happens without management support

2. Identify stakeholders Policy should address the entire enterprise Stakeholders should include: Business unit managers End users Legal, RM, IT External customers and partners

Policy should address the entire enterprise

Stakeholders should include:

Business unit managers

End users

Legal, RM, IT

External customers and partners

What changes are being introduced? Processes, technologies What are the desired outcomes? What behavioral changes should result? 3. Identify the goals of the policy

What changes are being introduced?

Processes, technologies

What are the desired outcomes?

What behavioral changes should result?

4. Conduct the research Legal research Organizational research Public research Standards and guidelines Benchmarking Consult with similar organizations Analyze the results

Legal research

Organizational research

Public research

Standards and guidelines

Benchmarking

Consult with similar

organizations

Analyze the results

5. Draft the policy Collaborative and iterative process There are a number of resources available to provide an email policy framework These are starting points and need to be customized for your requirements

Collaborative and iterative process

There are a number of resources available to provide an email policy framework

These are starting points

and need to be customized

for your requirements

6. Review the policy Review by legal, HR, users Ensures it is valid Ensures it will work within existing organizational culture Change management

Review by legal, HR, users

Ensures it is valid

Ensures it will work within existing organizational culture

Change management

7. Approve the policy Policy is reviewed by business managers, senior management Complete revisions as necessary Approve the policy

Policy is reviewed by business managers, senior management

Complete revisions as necessary

Approve the policy

8. Implement the policy Communication Training Auditing

Communication

Training

Auditing

Monitor for compliance with policy Solicit feedback about policy Provide refresher training as required Consider whether to retain previous versions of the policy Plan for periodic review and maintenance 9. Once the policy is live

Monitor for compliance with policy

Solicit feedback about policy

Provide refresher training as required

Consider whether to retain

previous versions of the policy

Plan for periodic review and maintenance

Questions?

For more information Jesse Wilkins, erm m , emm m , ecm m Access Sciences Corporation (303) 574-0749 direct [email_address] http://informata.blogspot.com http://www.accesssciences.com/blogs Twitter: jessewilkins

Jesse Wilkins, erm m , emm m , ecm m

Access Sciences Corporation

(303) 574-0749 direct

[email_address]

http://informata.blogspot.com

http://www.accesssciences.com/blogs

Twitter: jessewilkins