Email Policy Depth Advice RRS feed

  • Question

  • Hi all, I am after some general comments and advice on how deep do you need to go with a policy around email or any technology/IT service in general? Some of the example “email policies” I found on the Internet are so vague and short, and give examples of:


    “all mail traffic will be monitored; employees are expected to use email sensibly, with limited private use acceptable in non-work hours”.


    But to me, there are so many issues in email management that I wasn’t sure if these are typically documented in policy, or documented somewhere else. As I have never written a policy before, I don’t know what needs to go in it, and what needs to go in other documentation, or what this other documentation is called.


    For example, if an email accounts receive sensitive data – there is surely a duty to only allow users access to that mailbox who need access to it, and there is a duty to from time to time audit who has access to the mailbox set via AD, or who has access to the mailbox set via delegate rights, check they are applicable, or any inappropriate entries remove. Would this be documented in an email policy, or in some other kind of document? For example if users have a responsibility to check delegate rights to their mailbox, do you need to tell them this in the policy?


    Same for users with “send as” rights, if they have send as rights, there’s accountability issues in that you could not readily identify who is sending the email if say 15 people have send as permissions for a given mailbox. But do you need to put a point in the email policy around send as rights, or not? i.e. send as rights will only be granted where there is a business need that demonstrates send of behalf of is not applicable?


    Mailbox retention – does the policy need to state we will only keep mailbox of ex employees for x amount of days. Does that need to go into a policy, or is it just done?


    Just some general advice on the above on what typically goes in a policy, and what doesn’t. And if it doesn’t go in the policy, where does it go?

    Tuesday, June 21, 2011 12:59 PM


  • You know, this is probably not the place to come for legal advice since there are few if any attorneys at law participating in this forum.  I recommend that you consult with your company's legal department.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    • Marked as answer by Gen Lin Monday, July 4, 2011 8:16 AM
    Tuesday, June 21, 2011 7:19 PM