Publication Summary

Title	Electronic Messaging Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 Electronic messaging policy 9

2.1 Sending and receiving electronic messages 9

2.2 Monitoring of electronic messaging facilities 10

2.3 Use of email 11

Introduction

Electronic messaging has now become a vital business tool for communicating both internally and with customers and suppliers. However, because of its flexibility and general availability, the use of electronic messaging carries with it several significant risks and all users must remain vigilant and adopt good practice when sending and receiving messages.

Electronic messaging covers email and various forms of instant and store-and-forward messaging such as SMS texts, messaging apps, web chats and messaging facilities within social media platforms.

This policy document tells you how you may use the provided [Organization Name] electronic messaging facilities, including what you must and must not do. It applies to all use of these facilities whatever the means or location of access for example via mobile devices or outside of the office.

If you do not understand the implications of this policy or how it may apply to you, you should approach your line manager in the first instance.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to [Organization Name] systems.

The following policies and procedures are relevant to this document:

• Acceptable Use Policy

• Social Media Policy

• Internet Access Policy

• Asset Handling Procedure

• Information Classification Procedure

Electronic messaging policy

Sending and receiving electronic messages

The organization-provided electronic messaging facilities must always be used when communicating with others on official business. You must not use a personal account for this purpose. Guidelines on the sending of classified information via electronic messaging must always be observed. These are set out in document Asset Handling Procedure.

All messages sent from an organization account remain the property of [Organization Name] and are considered to be part of the corporate record. All organization messages should be considered to be official communications from the organization and treated accordingly.

The organization maintains its legal right to monitor and audit the use of electronic messaging by authorised users to assess compliance to this policy. This will be done in accordance with the provisions of relevant legislation.

Deletion of a message from an individual account does not necessarily mean that it has been permanently removed from the organization’s IT systems and such messages may still, be subject to audit and review.

Users should remain aware that it cannot be guaranteed that a message will be received or read by a recipient and that messages can be interpreted in different ways according to the culture, role and even prevailing mood of the individual reading it. You should therefore always consider whether the use electronic messaging is an appropriate means of conveying the information involved and whether an alternative such as the telephone would be preferable, particularly if the message is urgent or complex.

Particular care must be taken when addressing messages that include classified information to prevent accidental transmission to unauthorised recipients. Beware of the auto-completion feature of some text and email clients where the system suggests recipients based on the characters typed in so far.

Users must avoid sending unnecessary messages to distribution lists, particularly those with wide circulation such as the “global list” of all employees. Where required, such messages should be sent via the organization’s communications department.

Messages from an organization address should be considered in the same way as other more formal methods of communication. Nothing must be sent externally which might affect the organization’s reputation or affect its relationships with suppliers, customers or other stakeholders.

In particular, users must not send messages containing material, which is defamatory, obscene, does not comply with the organization’s equality and diversity policy or which a recipient might otherwise reasonably consider inappropriate. If you are not sure whether your intended message falls into this category, please consult your line manager before sending.

Official organization electronic messaging facilities must not be used:

• For the distribution of unsolicited commercial or advertising material, chain letters, or other junk-mail of any kind, to other organizations

• To send material that infringes the copyright or intellectual property rights of another person or organization

• For activities that corrupt or destroy other users’ data or otherwise disrupt the work of other users

• To distribute any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material

• To send anything which is designed or likely to cause annoyance, inconvenience or needless anxiety to others

• To convey abusive, threatening or bullying messages to others

• To transmit material that either discriminates or encourages discrimination on the grounds of race, gender, sexual orientation, marital status, disability, political or religious beliefs

• For the transmission of defamatory material or false claims of a deceptive nature

• For activities that violate the privacy of other users

• To send anonymous messages - i.e. without clear identification of the sender

• For any other activities which bring, or may bring, the organization into disrepute

If you receive unsolicited junk messages or spam, it is advised that you delete them without reading them. Do not reply to the message as this can confirm the existence of a valid address to the sender, resulting in further unwanted communications.

Monitoring of electronic messaging facilities

Electronic messaging usage within the organization system is monitored and recorded centrally in order to:

• Plan and manage its resource capacity effectively

• Assess compliance with policies and procedures

• Ensure that standards are maintained

• Prevent and detect crime

• Investigate unauthorised use

Monitoring will be undertaken by staff specifically authorised for that purpose. Consistent monitoring procedures will be applied to all users and may include checking the contents of messages.

If a manager suspects that the electronic messaging facilities are being abused by a user, they must contact the IT Manager. All such reports will be investigated according to documented procedures and where appropriate, evidence provided. There may also be a requirement to provide such information to regulatory or legislative bodies in accordance with the law.

Users must not access another user’s electronic messaging account unless they have obtained permission from the owner of the account or their line manager. In such cases this must be for legitimate business reasons and only messages which may reasonably be judged to be relevant to the question in hand should be opened.

Use of email

In addition to the policy statements in other sections of this document, the following guidance to users applies specifically to email.

All e-mails sent from organization addresses to recipients outside of the organization will automatically carry the following disclaimer:

“The information contained in this message is intended for the addressee only and may contain classified information. If you are not the addressee, please delete this message and notify the sender; you should not copy or distribute this message or disclose its contents to anyone. Any views or opinions expressed in this message are those of the individual(s) and not necessarily of the organization. No reliance may be placed on this message without written confirmation from an authorised representative of its contents. No guarantee is implied that this message or any attachment is virus free or has not been intercepted and amended.”

Do not use auto-forwarding on emails for example whilst on holiday, if there is a possibility that this may result in classified information being forwarded to a recipient that does not have sufficient security clearance for the level of information involved.

Your mailbox will be set up with a limitation on its size. This is in order to prevent the available storage capacity from being exceeded and to ensure the cost-effective use of email.

You must manage your email account(s) to remain within the mailbox size limit, making use of the archiving facility included in most email clients where possible. If your mailbox has filled up, contact the [IT Service Desk] for advice in the first instance.

Where possible, make use of links to files within email messages rather than attaching a copy of the file, particularly if the email message has a wide distribution. This will prevent other user’s mailboxes filling up and so avoid consequent disruption.

There is a system-wide size limit to emails which is 20Mb. If you need to send a larger email for legitimate business purposes, then please contact the [IT Service Desk] for advice.

Computer viruses, adware and other malware are small programs that can have a negative effect on your computer and your use of the internet and can expose the organization’s information to extreme risk. Such viruses can be inadvertently downloaded and installed via emails received into your inbox. The organization provides anti-virus software which runs on every computer that has access to the network and is intended to detect any viruses before they have been installed.

If you believe you may have a virus or you have been sent an email that may contain one, please report this to the [IT Service Desk] immediately. Do not open any attachments you believe may contain a virus.

In addition, you must not:

• Transmit by email any file attachments which you know to be infected with a virus

• Download data or programs of any nature from unknown sources

• Disable or reconfigure the installed anti-virus system operating on a computer used to access email facilities

• Forward virus warnings other than to the [IT Service Desk]

If a computer virus is deliberately or accidentally sent to another organization, [Organization Name] could be held liable if the trans