Sample Email Security Policy Template

Corporate e-mail is not private. Users expressly waive any right of privacy in anything they create, store, send, or receive on {COMPANY-NAME}’s computer systems. {COMPANY-NAME} can, but is not obliged to, monitor emails without prior notification. All e-mails, files, and documents – including personal e-mails, files, and documents – are owned by {COMPANY-NAME}, may be subject to open records requests, and may be accessed in accordance with this policy.

Incoming email must be treated with the utmost care due to the inherent information security risks. An anti-virus application is used to identify malicious code(s) or files. All email is subjected to inbound filtering of e-mail attachments to scan for viruses, malicious code, or spam. Spam will be quarantined for the user to review for relevancy. Introducing a virus or malicious code to {COMPANY-NAME} systems could wreak havoc on the ability to conduct business. If the automatic scanning detects a security risk, IT must be immediately notified.

Anti-spoofing practices have been initiated for detecting spoofed emails. Employees should be diligent in identifying a spoofed email. If email spoofing has occurred, IT must be immediately notified.

Incoming emails are scanned for malicious file attachments. If an attachment is identified as having an extension known to be associated with malware, or prone to abuse by malware or bad actors or otherwise poses heightened risk, the attachment will be removed from the email prior to delivery.

Email rejection is ahieved through listing domains and IP addresses associated with malicious actors. Any incoming email originating from a known malicious actor will not be delivered. Any email account misbehaving by sending out spam will be shut down. A review of the account will be performed to determine the cause of the actions.

E-mail is to be used for business purposes and in a manner that is consistent with other forms of professional business communication. All outgoing attachments are automatically scanned for virus and malicious code. The transmission of a harmful attachment can not only cause damage to the recipient’s system, but also harm {COMPANY-NAME}’s reputation. The following activities are prohibited by policy:

• Sending e-mail that may be deemed intimidating, harassing, or offensive. This includes, but is not limited to: abusive language, sexually explicit remarks or pictures, profanities, defamatory or discriminatory remarks regarding race, creed, color, sex, age, religion, sexual orientation, national origin, or disability.
• Using e-mail for conducting personal business.
• Using e-mail for the purposes of sending SPAM or other unauthorized solicitations.
• Violating copyright laws by illegally distributing protected works.
• Sending e-mail using another person’s e-mail account, except when authorized to send messages for another while serving in an administrative support role.
• Creating a false identity to bypass policy.
• Forging or attempting to forge e-mail messages.
• Using unauthorized e-mail software.
• Knowingly disabling the automatic scanning of attachments on any {COMPANY-NAME} personal computer.
• Knowingly circumventing e-mail security measures.
• Sending or forwarding joke e-mails, chain letters, or hoax letters.
• Sending unsolicited messages to large groups, except as required to conduct {COMPANY-NAME} business.
• Sending excessively large messages or attachments.
• Knowingly sending or forwarding email with computer viruses.
• Setting up or responding on behalf of {COMPANY-NAME} without management approval.

All confidential or sensitive {COMPANY-NAME} material transmitted via e-mail, outside {COMPANY-NAME}’s network, must be encrypted. Passwords to decrypt the data should not be sent via email.

E-mail is not secure. Users must not e-mail passwords, social security numbers, account numbers, pin numbers, dates of birth, mother’s maiden name, etc. to parties outside the {COMPANY-NAME} network without encrypting the data. All user activity on {COMPANY-NAME} information system assets is subject to logging and review. {COMPANY-NAME} has software and systems in place to monitor email usage.

E-mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of {COMPANY-NAME}, unless appropriately authorized (explicitly or implicitly) to do so.

Users must not send, forward, or receive confidential or sensitive {COMPANY-NAME} information through non-{COMPANY-NAME} email accounts. Examples of non-{COMPANY-NAME} e-mail accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and e- mail provided by other Internet Service Providers (ISP). Users with non-{COMPANY-NAME} issued mobile devices must adhere to the Personal Device Acceptable Use and Security Policy for sending, forwarding, receiving, or storing confidential or sensitive {COMPANY-NAME} information.