Sample Email Security Policy Template

Contents

The purpose of this policy is to establish rules for the use of {COMPANY-NAME} email for sending, receiving, or storing of electronic mail.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

Definitions

  • Anti-Spoofing: A technique for identifying and dropping units of data, called packets, that have a false source address.
  • Antivirus: Software used to prevent, detect, and remove malicious software.
  • Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.
  • Electronic mail (e-mail): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
  • Email spoofing: The forgery of an email header so the message appears to have originated from someone other than the actual source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation to provide sensitive data or perform an action such as processing a wire transfer.
  • Inbound filters: A type of software based traffic filter allowing only designated traffic to flow towards a network.
  • Quarantine: Suspicious email message may be identified by an antivirus filter and isolated from the normal mail inbox.
  • SPAM: Unsolicited e-mail, usually from Internet sources. It is often referred to as junk e- mail.

Overview

E-mail at {COMPANY-NAME} must be managed as valuable and mission critical resources. Thus, this policy is established to:

  • Create prudent and acceptable practices regarding the use of information resources
  • Educate individuals who may use information resources with respect to their responsibilities associated with such use
  • Establish a schedule for retaining and archiving e-mail

Audience

This policy applies equally to all individuals granted access privileges to any {COMPANY-NAME} information resource with the capacity to send, receive, or store electronic mail.

Legal

Individuals involved may be held liable for:

  • Sending or forwarding e-mails with any libelous, defamatory, offensive, racist, or obscene remarks
  • Sending or forwarding confidential information without permission
  • Sending or forwarding copyrighted material without permission
  • Knowingly sending or forwarding an attachment that contains a virus

Policy Details

Corporate e-mail is not private. Users expressly waive any right of privacy in anything they create, store, send, or receive on {COMPANY-NAME}’s computer systems. {COMPANY-NAME} can, but is not obliged to, monitor emails without prior notification. All e-mails, files, and documents – including personal e-mails, files, and documents – are owned by {COMPANY-NAME}, may be subject to open records requests, and may be accessed in accordance with this policy.

Incoming email must be treated with the utmost care due to the inherent information security risks. An anti-virus application is used to identify malicious code(s) or files. All email is subjected to inbound filtering of e-mail attachments to scan for viruses, malicious code, or spam. Spam will be quarantined for the user to review for relevancy. Introducing a virus or malicious code to {COMPANY-NAME} systems could wreak havoc on the ability to conduct business. If the automatic scanning detects a security risk, IT must be immediately notified.

Anti-spoofing practices have been initiated for detecting spoofed emails. Employees should be diligent in identifying a spoofed email. If email spoofing has occurred, IT must be immediately notified.

Incoming emails are scanned for malicious file attachments. If an attachment is identified as having an extension known to be associated with malware, or prone to abuse by malware or bad actors or otherwise poses heightened risk, the attachment will be removed from the email prior to delivery.

Email rejection is ahieved through listing domains and IP addresses associated with malicious actors. Any incoming email originating from a known malicious actor will not be delivered. Any email account misbehaving by sending out spam will be shut down. A review of the account will be performed to determine the cause of the actions.

E-mail is to be used for business purposes and in a manner that is consistent with other forms of professional business communication. All outgoing attachments are automatically scanned for virus and malicious code. The transmission of a harmful attachment can not only cause damage to the recipient’s system, but also harm {COMPANY-NAME}’s reputation. The following activities are prohibited by policy:

  • Sending e-mail that may be deemed intimidating, harassing, or offensive. This includes, but is not limited to: abusive language, sexually explicit remarks or pictures, profanities, defamatory or discriminatory remarks regarding race, creed, color, sex, age, religion, sexual orientation, national origin, or disability.
  • Using e-mail for conducting personal business.
  • Using e-mail for the purposes of sending SPAM or other unauthorized solicitations.
  • Violating copyright laws by illegally distributing protected works.
  • Sending e-mail using another person’s e-mail account, except when authorized to send messages for another while serving in an administrative support role.
  • Creating a false identity to bypass policy.
  • Forging or attempting to forge e-mail messages.
  • Using unauthorized e-mail software.
  • Knowingly disabling the automatic scanning of attachments on any {COMPANY-NAME} personal computer.
  • Knowingly circumventing e-mail security measures.
  • Sending or forwarding joke e-mails, chain letters, or hoax letters.
  • Sending unsolicited messages to large groups, except as required to conduct {COMPANY-NAME} business.
  • Sending excessively large messages or attachments.
  • Knowingly sending or forwarding email with computer viruses.
  • Setting up or responding on behalf of {COMPANY-NAME} without management approval.

All confidential or sensitive {COMPANY-NAME} material transmitted via e-mail, outside {COMPANY-NAME}’s network, must be encrypted. Passwords to decrypt the data should not be sent via email.

E-mail is not secure. Users must not e-mail passwords, social security numbers, account numbers, pin numbers, dates of birth, mother’s maiden name, etc. to parties outside the {COMPANY-NAME} network without encrypting the data. All user activity on {COMPANY-NAME} information system assets is subject to logging and review. {COMPANY-NAME} has software and systems in place to monitor email usage.

E-mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of {COMPANY-NAME}, unless appropriately authorized (explicitly or implicitly) to do so.

Users must not send, forward, or receive confidential or sensitive {COMPANY-NAME} information through non-{COMPANY-NAME} email accounts. Examples of non-{COMPANY-NAME} e-mail accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and e- mail provided by other Internet Service Providers (ISP). Users with non-{COMPANY-NAME} issued mobile devices must adhere to the Personal Device Acceptable Use and Security Policy for sending, forwarding, receiving, or storing confidential or sensitive {COMPANY-NAME} information.

Incidental Use

Incidental personal use of sending e-mail is restricted to {COMPANY-NAME} approved users; it does not extend to family members or other acquaintances. Without prior management approval, incidental use must not result in direct costs to {COMPANY-NAME}. Incidental use must not interfere with the normal performance of an employee’s work duties.

No files or documents may be sent or received that may cause legal liability for or embarrassment to {COMPANY-NAME}. Storage of personal files and documents within {COMPANY-NAME}’s IT systems should be nominal.

Email Retention

  • Messages are retained for 36 months. Emails older than 36 months are subject to automatic purging.
  • Deleted and archived emails are subject to automatic purging.
  • Appointments, Tasks, and Notes older than the retention period are subject to automatic purging.

Email Archive

  • Only the owner of a mailbox and the system administrator has access to the archive.
  • Messages will be deleted from the online archive 36 months from the original send/receive date.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Page

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

.

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Related Templates

Acceptable Use of Information Systems

An acceptable use policy outlines the use of computer equipment. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.

This policy defines the requirement for reporting and responding to incidents related to the company’s information systems and operations

A penetration testing policy provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security

The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.

The company must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.