the benefits of technology standards it-toolkits

2/29/2016 Email Policies: Tools to Govern Usage, Access and Etiquette - IT-Toolkits.org

http://it-toolkits.org/blog/?p=67 1/8

Email Policies: Tools to Govern Usage, Access and

Etiquette - IT-Toolkits.org

Email is a fast, easy and readily accessible means of business communication. It has changed the

way we communicate. These are the obvious rewards – but they are also the basis of every risk.

Whenever email content is ill-advised, inappropriate, or even gets into the wrong hands, negative

consequences can follow, including legal liability, regulatory penalties, confidentiality breaches,

damage to corporate reputation, public embarrassment, internal conflicts, and all the related losses in

productivity and performance that these circumstances can cause. Further, data loss and damage to

technology assets can be realized through the transmission of malicious code, spam and computer

viruses.

Perform the “What-if” Analysis: What are the risks to my organization of email abuse and/or

misuse, and what are the likely consequences if these risks are not properly addressed? The next

step is to weigh the costs and complications of all mitigating actions, and to then strike an

appropriate balance between risk and probability.

To eliminate email usage is impractical and even unthinkable – so the goal has to be to minimize the

risks through the best means possible – and that is through the use of physical security precautions

and practical, relevant and enforceable email policy. To realize all of the intended goals and

objectives, related policies (which will integrate closely with data security and internet usage policies)

must encompass four (4) key governance needs:

1. Email Usage : To determine the circumstances under which email can and will be used within a

given organization, whether there will be any limits and/or restrictions on the types of information

that can be transmitted via email, as well as any limits and/or restrictions on the use of business

email systems for personal communications.

2. Email Oversight: To establish that emails are official company records and to determine the

manner in which email usage will be monitored and controlled, including the “ownership” of email

content transmitted on business email systems.



3. Email Etiquette : To establish formatting, content and usage guidelines designed to minimize the

risk that email content will be deemed unprofessional, offensive, inappropriate or subject to ridicule

and criticism.

4. Email Management: To establish and implement appropriate technical controls to limit the risks

of inbound email spam, virus and malicious code, and to establish automated procedures for email

backup, storage and retention.

As a whole, usage, oversight, etiquette and management parameters must be combined to formulate

“policy” that is aligned with business and technical needs, realistic considering actual communication

needs, and enforceable considering corporate culture and related technical abilities.

Key Questions for Policy Scope and Content

To ensure that all usage, oversight, etiquette and management needs can be met, adopted email

policies must be designed according to anticipated email usage, corporate culture, characteristics,

business requirements, legal requirements, technical requirements and internal capabilities for

enforcement. The list below provides a head start for policy planning, listing the key questions to be

considered and addressed as part of the policy development process:

Policy Purpose

What are the specific goals of this email policy?

Why has the policy been created (considering the background events leading to policy

development)?

What will the policy accomplish considering email usage, access, etiquette and management

goals and objectives?

Policy Basis

What is the underlying authority and/or organizational basis for this email policy (considering

internal guidelines and/or external regulatory requirements)?

Do you have sufficient executive support to sufficiently enforce compliance with all of the policy

provisions?

Policy Scope

What are the organizational targets of the policy considering company-wide applicability,

division specific application, departmental application or location specific application?

Policy Stakeholders

Who are the policy stakeholders considering both individuals and groups who have a vested

interest in the policy and ability to influence the outcome?

What are the specific roles and responsibilities required to implement, administer and enforce

all policy terms, including all stated compliance obligations?

Email Management

What are the means and methods to be utilized to manage and secure all email systems

considering access, standards for email addresses, restrictions on attachment size, remote



access, spam and junk mail limitations and related management controls?

Compliance and Enforcement Guidelines

What are established guidelines for email policy compliance?

Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are

the terms under which exceptions and/or waivers will be granted?

How will compliance be enforced and what are the consequences for a failure to comply?

How will employees be provided with training relating to email policy compliance?

What types of auditing procedures will be used to monitor and promote email policy

compliance?

You may also like

We all know that I.T. stands for “information technology” and that’s no accident. In fact, it’s a

reflection of the primary mission of every I.T. organization – to provide the means and methods for

creating, storing, transmitting, printing and retrieving business related information. By design, this

operational mission is driven by the need to “protect”, which also includes preventing unauthorized

access, uncontrolled modification and unwarranted destruction. The priorities are self evident – data

integrity is vital, and vital needs must be met with purpose and committment. The tricky part is to

balance vital interests with the associated costs and operational overhead. This is the higher

purpose of data security and the goal of related policy development.



Data Security Practices and Policy Purpose

As discussed, “data security” provides the means by which business data and related information is

protected and preserved. This is realized in multiple ways, as listed below:

Data security technology and practices provide the means by which data can be safely created,

stored, transmitted, printed and retrieved.

Data security technology and practices provide the means by which data accuracy and integrity is

ensured and maintained.

Data security technology and practices provide the means to prevent and control unauthorized

access, modification and destruction.

Data security technology and practices provide the opportunity to minimize the risks and costs

associated with data loss, data corruption and unauthorized access.

Of course, the physical means of “securing data” are essential to the process. You must have the

technical ability (through hardware and software) to physically meet each of the above listed

objectives. But that will only take you part of the way. To realize all of the intended benefits,

data security practices must be “institutionalized” – i.e. integrated into the corporate

culture and made part of how a given organization works. This is achieved through the

development and implementation of effective “data security policy”. Policy is a governance

mechanism, used to translate tangible security objectives into organizational terms that can be

implemented and enforced. In the case of data security, related policies provide the “how, what, and

why” to communicate security objectives and promote expected compliance.

To fulfill this mission, data security policy must be developed and documented to reflect the following

components and answer the underlying formative questions:

Policy Purpose

What are the specific goals of this data security policy?

Why has the policy been created (considering the background events leading to policy

development)?

What will the policy accomplish considering data security goals and objectives?

Policy Basis

What is the underlying authority and/or organizational basis for this data security policy

(considering internal guidelines and/or external regulatory requirements)?

Do you have sufficient executive support to sufficiently enforce compliance with all of the policy

provisions?

Policy Scope

What are the organizational targets of the policy considering company-wide applicability,

division specific application, departmental application or location specific application?

What are the data targets of the policy considering the types of files, records, information and

applications covered by the policy?



Policy Stakeholders

Who are the policy stakeholders considering both individuals and groups who have a vested

interest in the policy and ability to influence the outcome?

What are the specific roles and responsibilities required to implement, administer and enforce

all policy terms, including all stated compliance obligations?

Security Means and Methods

What are the means and methods to be utilized to realize all identified data security

requirements, including data encryption, data access restrictions, security monitoring, data

classifications, userid requirements, password requirements, data storage mechanisms, and

related matters?

Compliance and Enforcement Guidelines

What are established guidelines for data security compliance?

Will there be any exceptions and/or waivers with regard to policy compliance? If so, what are

the terms under which exceptions and/or waivers will be granted?

How will compliance be enforced and what are the consequences for a failure to comply?

How will employees be provided with training relating to data security compliance?

What types of auditing procedures will be used to monitor and promote data security

compliance?

Take an Inclusive Approach to Policy Development

Every data security policy will benefit from an inclusive approach to development and implementation.

It takes a partnership between all of the interested and invested stakeholders to fully realize policy

relevance and enforcement. In the collaborative approach, the end-user partner defines the need

(the data to be protected and the business basis behind the security requirements). The IT partner

provides the technical means (and capability) by which the identified data security needs can be met.

These needs and means are then combined to form actionable policy through an “inclusive”

development process, characterized by input and collaboration at every stage:

Policy planning relies on input and information relating to data security needs and policy

objectives.

Policy preparation relies on the review of policy drafts, negotiation, and feedback relating to

specific terms and related obligations,

Policy implementation relies on the documented acceptance (and approval) of policy terms and

compliance obligations on the part of decision making stakeholders.

As policy development unfolds, checkpoints should be established to ensure that all decision making

stakeholders have been sufficiently engaged in the development process. Considering the long term

benefits of collaborative policy development (compliance is more readily secured when you have

advance buy-in), it’s always a good idea to create a “policy team” or committee as the organizational

vehicle for policy development. This policy team or committee should include members from all sides

– the end-user community, IT department, Legal department, Human Resources and any other



appropriate department with something to contribute. This will help to ensure that the policy delivered

represents all interests, incorporates all concerns, and has the greatest chance to succeed.

You may also like

Experience has shown that good things happen when the right set of end-user technology standards

are appropriately planned and applied. Tangible benefits can be realized across a broad spectrum,

ranging from improved IT service quality, to lowered technology management costs, and more (as the

list below demonstrates):

1. By limiting the variety of hardware and software products in use, IT departments will have the

opportunity to develop focused, in-depth product expertise, thereby improving the quality and

responsiveness of essential technical support services.

2. By limiting the variety of products in use, IT departments can better test and manage product

compatibility, thereby reducing the number of platform conflict problems.

3. Standardization can lower technology acquisition costs through volume purchasing, bringing

discounted pricing, as well as greater leverage to negotiate more favorable maintenance and

training contracts.

4. With a focus on a specific set of technology products, the end-user community will have the

opportunity to develop in-depth product expertise – to enhance operational productivity and

maximize technology utilization.

5. Standardization can minimize the risks associated with an uncontrolled technology portfolio,



facilitating disaster recovery planning, software licensing management, and security management.

This list is impressive, but by no means guaranteed. Standardization is not the answer to every

problem, and the best standards will amount to little more than “bureacracy” if not properly designed

and implemented. Under certain circumstances, standards can also backfire, creating more problems

than they solve. When standards are created simply for power and control, lacking sufficient flexibility,

and without full consideration of business needs, in all likelihood, they will be bypassed. This help no

one – not the business, not the end-users and certainly not the IT department.

Step by Step to Standards Planning

Step 1: Identify primary goals and objectives. What are your current needs and how will

standards help you meet your goals and objectives? This analysis will form the basis for your

standards justification needed to convince skeptical end-users and ambivalent managers.

Step 2: Identify requirements. What types of technology products (hardware and software) will be

addressed by these planned standards?

Step 3: “One Size Probably Does Not Fit All”. Make sure you provide sufficient alternatives within

any hardware or software product set, to accommodate different needs and preferences.

Step 4: Consider remote locations. Small satellite offices may have unique needs to which

established standards may not apply. You may need to create new standards for remote sites or

carve out appropriate exemptions.

Step 5: Be flexible. Create standards with sufficient flexibility, providing for a “waiver” process so

that “non-standard” products can be utilized whenever needed.

Step 6: Involve end-users in the standards process. Establish a workable process for standards

development and approval, which involves the end-user community.

Step 7: Communicate. Keep end-users sufficiently informed about all elements of the standards

process. You will need to let end-users know how standards are selected, what the current standards

are, how to request a waiver, and how to submit a desired product for standards review. You can do

this through a newsletter, policy manual, new employee orientation, training session, or through any

other marketing method available to you.

Step 8: Ask for feedback. Provide an open, publicized mechanism for feedback on your standards

selections and related processes. The more buy-in and participation you get the better. At least

people will be talking about the process, even if the standards themselves are in dispute.

Step 9: Enforce standards consistently. Standards will be meaningless if your end-users know

that they can be easily ignored (or bypassed). If standards are to deliver expected benefits, you must

have sufficient management support to enforce related policies and procedures. This level of

management support will be easier to come by if you maintain open communications with your end-



users, and if you are prepared to justify standards decisions with “facts and figures”.

Step 10: Integrate standards guidelines and purchasing procedures. Standards will be easier

to control and maintain when they are supported by relevant purchasing procedures. If the IT

department is responsible for technology acquisition, standards can be more readily enforced.

However, depending upon organizational needs and considerations, it is not always feasible for the IT

organization to carry the burden of order processing. In these cases, you might ask your purchasing

department to forward non-standard purchase requests to IT for review.

Step 11: Don’t abdicate IT responsibility. If the only response given to a request for non-

standardtechnology is “no”, you’ll just end up with a fair number of unsupported products and a whole

lot of finger pointing. Collaborative approaches are far more effective, to work with end-users and to

find acceptable solutions to unique technology needs.

You may also like

the benefits of technology standards it-toolkits

Technology