Policies
How can my organization introduce and enforce email usage policies?
If you do not already have an email policy in place, the following section provides some guidance to the steps you should take.
STEP 1: Get senior management approval
Since an email policy affects all staff that have access to email in an organization, it is essential to get the buy-in and support of senior management.
STEP 2: Designate an email policy team
To ensure that the policy is introduced smoothly, a policy team should be formed to oversee and drive email policy creation and implementation. It is recommended that the policy team, at the very least, be comprised of individuals representing:
- Senior Management: This will ensure that the email policy will receive the required support and funding to complete the task.
- Human resources: Since dealing with email abuse is a behavioral rather than a technical issue, your HR department should be involved at the outset.
- Information Services: They will be able to add the technical expertise to help bridge the gap between behavioral problems and technical solutions. They will contribute in identifying the electronic risks and recommending the most effective software tools and techniques to manage the risks identified.
- Legal Counsel: Before implementing your email policy, be sure that all relevant laws are addressed and your company’s rights, in addition to those of your employees, are protected.
The email policy team may also comprise the following:
- Public Relations Manager: In the event of an email crisis, your PR manager/consultant will be responsible for keeping employees, media, customers, and shareholders informed. You should consider including an e-crisis communications plan as part of your comprehensive email policy.
- Writing coach: An effective way to control e-risks is to train employees in email writing techniques. Establish an electronic writing policy to ensure that employee email is compliant with both your email policy and corporate
- Research consultant: A research specialist can help in the development, undertaking, and analysis of an internal email audit.
STEP 3: Consult with departments and senior managers
Monitoring employees’ email can be an emotional subject. Some employees may be concerned about their email being scrutinized and controlled, and may regard it as an infringement on their privacy. Therefore, from the outset it is essential to get senior department managers to buy into the new policy.
Employees need to know what constitutes an acceptable level of personal communication in using the company email system. It should be made clear that the company email system offers a low level of privacy as any message could be inspected.
By informing each department head of the proposed policy, and accepting their input and agreement to its implementation, you will help prevent negative reactions from employees.
A confidential employee audit survey is also recommended. It may be useful in identifying what issues may be at hand. For instance, the following questions may be addressed:
- Do employees use the corporate email system for personal use? Why and to what extent?
- On an average day, how many emails do employees receive and how much time do they spend managing email?
- Do employees receive/send inappropriate or offensive messages at work? What type of mail is it (e.g., pornographic, threatening, racially discriminating)? Do they find this particularly upsetting?
- Have employees been disciplined in the past for inappropriate email abuse?
- What level of email receipt is unsolicited? How do employees deal with spam (i.e., do they read before deleting or delete immediately)?
- Have employees received viruses via the corporate email system? If so, how many and what was the action taken?
- Do employees take care with checking content, grammar, spelling and punctuation before sending an email? Have they ever sent email by mistake, for example by hitting the Send” key by accident?
- Are employees aware that email can be used as evidence in workplace lawsuits?
- Are employees aware that management has the right to read employee email?
The above are some suggestions you may wish to cover in a workplace audit, but by no means are they exhaustive. Thus, you may wish to think of other issues you need to consider before beginning the next stage, i.e., drafting the policy.
STEP 4: Write policy document
When you have collected all the feedback from each department, you can begin constructing the policy together with a guide that specifies acceptable use. Key elements of the policy should include:
- Purpose of introducing policy
- Scope of policy (who is affected by it)
- Explanation of what and how email is being monitored
- Clear description of what is and what is not acceptable
- Disciplinary procedure in cases of policy breach
Although the policy should state what constitutes a breach, it is recommended that a user guide is made available to each employee. The guide should not only clarify what is or is not deemed adequate, but it should also demonstrate the benefits of having a policy in place.
STEP 5: Select email filter software
Having decided on the areas that your policy will monitor, you are now in a position to decide what software will do the job. Due to the increase in unsolicited email, currently there are numerous products available on the market to choose from.
The first step you should take is to decide if you wish to outsource the filter management to a 3rd party hosting company or maintain it in-house. Second, you need to verify which application will ensure that each of your filter requirements can be easily monitored. For example, if you will be restricting emails by file size, attachment types, keywords (subject and/or body), to and from addresses, number of recipients, mailbox limits, individual user customization, then you need to ensure that the software will allow you to customize these filters.
STEP 6: Educate employees
Although sometimes difficult, it is essential to receive employee support, agreement, and acceptance of the policy. You should state clearly the reasons for the action undertaken: to emphasize your point, perhaps cite recent court cases, productivity loss statistics, etc.
Communicate the benefits to the employees and the business in the same way that you would sell the benefits of your product or service to your customers.
STEP 7: Monitor and review
You will need to monitor regularly the results of your policy and modify the filter settings accordingly. Should the changes affect the original guidelines you put in place, you will need to inform all users. For example, you may want to extend the policy to cover internet access and use, instant messaging, and video conferencing.
It can also be a good idea to provide all users with feedback on how the email policy is helping your business. For example, provide regular reports on increase in productivity and resulting profit, decline in spam and virus receipt, and increased system bandwidth.
STEP 8: Remind employees of policy
Finally, research shows that people require five to seven exposures to new messages/concepts before they understand and consequently adopt them. You need to remind employees (and inform newcomers) of the email policy recurrently. This can be done by sending the policy out via email once a quarter, including it in your employee handbooks, holding seminars on the most effective ways of using email, and reporting back on the benefits of having the policy in place.
An important aspect of this last step is also to penalize offenders as laid out in the policy document. If employees discover that the policy can be breached without consequences, you will quickly find yourself back to the situation prior to implementing the policy.
