Free Email Security
Policy Template

Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.

Author: Rich Selvidge, CISSP / Last Updated: 8/11/22

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Definitions

Anti-Spoofing: A technique for identifying and dropping units of data, called packets, that have a false source address.

Antivirus: Software used to prevent, detect, and remove malicious software.

Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.

Electronic mail (e-mail): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

Email spoofing: The forgery of an email header so the message appears to have originated from someone other than the actual source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation to provide sensitive data or perform an action such as processing a wire transfer.

Inbound filters: A type of software based traffic filter allowing only designated traffic to flow towards a network.

Quarantine: Suspicious email message may be identified by an antivirus filter and isolated from the normal mail inbox.

SPAM: Unsolicited e-mail, usually from Internet sources. It is often referred to as junk e- mail.

Overview

E-mail at {COMPANY-NAME} must be managed as valuable and mission critical resources. Thus, this policy is established to:

• Create prudent and acceptable practices regarding the use of information resources
• Educate individuals who may use information resources with respect to their responsibilities associated with such use
• Establish a schedule for retaining and archiving e-mail

Purpose

The purpose of this policy is to establish rules for the use of {COMPANY-NAME} email for sending, receiving, or storing of electronic mail.

Audience

This policy applies equally to all individuals granted access privileges to any {COMPANY-NAME} information resource with the capacity to send, receive, or store electronic mail.

Legal

Individuals involved may be held liable for:

• Sending or forwarding e-mails with any libelous, defamatory, offensive, racist, or obscene remarks
• Sending or forwarding confidential information without permission
• Sending or forwarding copyrighted material without permission
• Knowingly sending or forwarding an attachment that contains a virus

Policy Details

Corporate e-mail is not private. Users expressly waive any right of privacy in anything they create, store, send, or receive on {COMPANY-NAME}’s computer systems. {COMPANY-NAME} can, but is not obliged to, monitor emails without prior notification. All e-mails, files, and documents – including personal e-mails, files, and documents – are owned by {COMPANY-NAME}, may be subject to open records requests, and may be accessed in accordance with this policy.

Incoming email must be treated with the utmost care due to the inherent information security risks. An anti-virus application is used to identify malicious code(s) or files. All email is subjected to inbound filtering of e-mail attachments to scan for viruses, malicious code, or spam. Spam will be quarantined for the user to review for relevancy. Introducing a virus or malicious code to {COMPANY-NAME} systems could wreak havoc on the ability to conduct business. If the automatic scanning detects a security risk, IT must be immediately notified.

Anti-spoofing practices have been initiated for detecting spoofed emails. Employees should be diligent in identifying a spoofed email. If email spoofing has occurred, IT must be immediately notified.

Incoming emails are scanned for malicious file attachments. If an attachment is identified as having an extension known to be associated with malware, or prone to abuse by malware or bad actors or otherwise poses heightened risk, the attachment will be removed from the email prior to delivery.

Email rejection is achieved through listing domains and IP addresses associated with malicious actors. Any incoming email originating from a known malicious actor will not be delivered. Any email account misbehaving by sending out spam will be shut down. A review of the account will be performed to determine the cause of the actions.

E-mail is to be used for business purposes and in a manner that is consistent with other forms of professional business communication. All outgoing attachments are automatically scanned for virus and malicious code. The transmission of a harmful attachment can not only cause damage to the recipient’s system, but also harm {COMPANY-NAME}’s reputation. The following activities are prohibited by policy:

• Sending e-mail that may be deemed intimidating, harassing, or offensive. This includes, but is not limited to: abusive language, sexually explicit remarks or pictures, profanities, defamatory or discriminatory remarks regarding race, creed, color, sex, age, religion, sexual orientation, national origin, or disability.
• Using e-mail for conducting personal business.
• Using e-mail for the purposes of sending SPAM or other unauthorized solicitations.
• Violating copyright laws by illegally distributing protected works.
• Sending e-mail using another person’s e-mail account, except when authorized to send messages for another while serving in an administrative support role.
• Creating a false identity to bypass policy.
• Forging or attempting to forge e-mail messages.
• Using unauthorized e-mail software.
• Knowingly disabling the automatic scanning of attachments on any {COMPANY-NAME} personal computer.
• Knowingly circumventing e-mail security measures.
• Sending or forwarding joke e-mails, chain letters, or hoax letters.
• Sending unsolicited messages to large groups, except as required to conduct {COMPANY-NAME} business.
• Sending excessively large messages or attachments.
• Knowingly sending or forwarding email with computer viruses.
• Setting up or responding on behalf of {COMPANY-NAME} without management approval.

All confidential or sensitive {COMPANY-NAME} material transmitted via e-mail, outside {COMPANY-NAME}’s network, must be encrypted. Passwords to decrypt the data should not be sent via email.

E-mail is not secure. Users must not e-mail passwords, social security numbers, account numbers, pin numbers, dates of birth, mother’s maiden name, etc. to parties outside the {COMPANY-NAME} network without encrypting the data. All user activity on {COMPANY-NAME} information system assets is subject to logging and review. {COMPANY-NAME} has software and systems in place to monitor email usage.

E-mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of {COMPANY-NAME}, unless appropriately authorized (explicitly or implicitly) to do so.

Users must not send, forward, or receive confidential or sensitive {COMPANY-NAME} information through non-{COMPANY-NAME} email accounts. Examples of non-{COMPANY-NAME} e-mail accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and e- mail provided by other Internet Service Providers (ISP). Users with non-{COMPANY-NAME} issued mobile devices must adhere to the Personal Device Acceptable Use and Security Policy for sending, forwarding, receiving, or storing confidential or sensitive {COMPANY-NAME} information.

Incidental Use

Incidental personal use of sending e-mail is restricted to {COMPANY-NAME} approved users; it does not extend to family members or other acquaintances. Without prior management approval, incidental use must not result in direct costs to {COMPANY-NAME}. Incidental use must not interfere with the normal performance of an employee’s work duties.

No files or documents may be sent or received that may cause legal liability for or embarrassment to {COMPANY-NAME}. Storage of personal files and documents within {COMPANY-NAME}’s IT systems should be nominal.

Email Retention

• Messages are retained for 36 months. Emails older than 36 months are subject to automatic purging.
• Deleted and archived emails are subject to automatic purging.
• Appointments, Tasks, and Notes older than the retention period are subject to automatic purging.

Email Archive

• Only the owner of a mailbox and the system administrator has access to the archive.
• Messages will be deleted from the online archive 36 months from the original send/receive date.