Jump to: navigation, search

Note: In this sample, you may please review carefully all the text within the <> brackets and change it as per your organisations needs. Also we urge you to review all the text and tune it to match your corporate policies

Introduction

Use of email by employees of <business name> is permitted and encouraged where such use supports the goals and objectives of the business. <Replace the above with a more relevant description of service and the reasons why you encourage its use>

Scope of this Policy

This policy covers all users of the <business name>, including all employees, contract employees, work placement trainees and anyone else to whom access is provided. However, for the purposes of monitoring and investigation only, the Senior Management Team and accredited IT Support Services staff are excluded from the scope of this policy. <Replace the above with a more relevant scope statement if necessary>

Acceptance of the Policy

All users of the <business name> systems and resources must read, understand, and accept the terms and content of this policy framework. Use of the login user account and password allocated to an individual is taken as a statement of understanding and willingness to comply with the terms of the Email Usage Policy Framework of <business name> <Replace the above with a more relevant statement if necessary>

Unacceptable behaviour

The following behaviour by an employee is considered unacceptable:

  • use of company communications systems to set up personal businesses or send chain letters
  • forwarding of company confidential messages to external locations
  • distributing, disseminating or storing images, text or materials that might be considered indecent, pornographic, obscene or illegal
  • distributing, disseminating or storing images, text or materials that might be considered discriminatory, offensive or abusive, in that the context is a personal attack, sexist or racist, or might be considered as harassment
  • accessing copyrighted information in a way that violates the copyright
  • breaking into the company’s or another organisation’s system or unauthorised use of a password/mailbox
  • broadcasting unsolicited personal views on social, political, religious or other non-business related matters
  • transmitting unsolicited commercial or advertising material
  • undertaking deliberate activities that waste staff effort or networked resources
  • introducing any form of computer virus or malware into the corporate network

<Replace the above with a more relevant statement if necessary>

General Policy

You will be the sole person authorised to use this User ID; You will be solely responsible for all actions undertaken by your User ID while it is valid; You will not let others use your User ID and Password nor inform others of your User ID or Password; You will be responsible for all electronic mail originating from your User ID; You will not forge, or attempt to forge, electronic mail messages; You will not attempt to read, delete, copy, intercept or modify electronic mail directed to other users without prior consent; You will not send, or attempt to send, harassing, obscene and/or threatening email to another user of any email service; You will not send ‘for-profit’ messages or chain letters. <Replace the above with more relevant statements if necessary>

Monitoring of Email

In support of the business interests of the <business name>, and to comply with our legal obligations, <business name> reserves the right to monitor the volume and content of incoming and outgoing email across the Systems and to investigate complaints regarding the use of individual email accounts. <business name> has an interest in regulating the content of electronic mail to ensure that the <business name>'s policies and procedures are being complied with and for legitimate business purposes. <business name> reserves the right to electronically scan all incoming and outgoing email for viruses and for Spam. Any email which is found to contain a virus, or any message identified as Spam, will be blocked from entering or leaving the Systems. <Replace the above with more relevant statements if necessary>

Sanctions

Where it is believed that an employee has failed to comply with this policy, they will face the company's disciplinary procedure. If the employee is found to have breached the policy, they will face a disciplinary penalty ranging from a verbal warning to dismissal. The actual penalty applied will depend on factors such as the seriousness of the breach and the employee's disciplinary record. <These procedures will be specific to your business. They should reflect your normal operational and disciplinary processes. You should establish them from the outset and include them in your acceptable use policy.>

Company Owns Employee Email

Keep in mind that the Company owns any communication sent via email or that is stored on company equipment. Management and other authorized staff have the right to access any material in your email or on your computer at any time. Please do not consider your electronic communication, storage or access to be private if it is created or stored at work.

Specific Policy definition

Mithi recommends that rather than define policies per user, you define policies for classes of users (groups). This allows you manage properties for a smaller set of entities and also prevents mistakes where you apply for one and miss for another. If a user belongs to a class of service, that user will inherit the properties from the COS automatically. A change in the COS property reflects immediately and automatically to all the contained users. This will allow you to define policies at 3 levels viz. Global Domain Groups (Class of service)

Global Policies All the below services are available to all users with access and other control parameters defined at the level of the domain and class of service.
Services offered The collaboration applications provided by [business name] to the users includes the following services

<Email, Chat, Calendar, Personal Address Book, Shared Address Book,Email scanning for virus/spam, Email to SMS> <Turn off services not to be offered and dont enlist them here>

Services running To enable the above chosen applications for our need, the following services would be running on the servers

<SMTP, POP, POPS, IMAP, IMAPS, HTTP, HTTPS, LDAP, XMPP, SMS,CalDAV> <Turn off services not to be offered and don’t enlist them here>

Access offered To access the above applications, the following clients may be used

<Web client via FireFox, Chrome, Internet Explorer 8 and above, Thunderbird desktop email and calendar client, Desktop chat clients like Neos, Pidgin, etc, Mobile clients like Android phones/tabs/pads, and iPhone and iPad> Blackberry email access over IMAP/POP using BIS. All other mobiles connect to POP/IMAP/SMTP over GPRS. Calendar available over CalDAV only for compliant clients like iPhone, iPad, Android phones/tabs/pads Shared Address Book available via LDAP for LDAP compliant devices like iPhone, iPad, Android phones/tabs/pads Supported services: POP, IMAP, CalDAV, SMTP <Specify which clients are allowed to access the applications as per the your guidelines (formed on the basis of security, standardisation, cost etc)>

Email controls Maximum message size (incoming and outgoing): <20Mb>

Maximum recipient count in a single mail: <50> Maximum number of mail by a single user in a day (rate control): <150> Each outgoing mail would automatically carry an organisation disclaimer/footer For further security, the Mail Sanitisation has been <Enabled/Disabled>. This means that scripts within the mail wont be executable and several mail may simply appear as plain text in your Baya web client As part of our mail flow policy control, no user in the company can send mail to <list of domains and/or email ids> and receive mail from <list of domains and/or email ids>. No user in the company can send mail with attachments greater than 'n' MB and/or number of attachments greater than 'm' and attachments with these extensions <list the extensions which are disallowed>. Also mail with the following text in the subject or body will be disallowed. Compliance Mail Archival is <Enabled/Disabled>: A copy of every mail sent and received is stored for reference only by select team members of the top management and IT team. This archive is not available to the end users.

Spam The mail content is scanned by spam assassin to detect spam. Mail which is marked as spam would be filtered into a spam folder of each user on the MEM XF setup itself (optional). This can be changed to filter spam mail into each user's spam folder on the gateway server itself (recommended for easier management since then the end users can login via the web client and release their mail)

A report/digest is sent to each user daily at a scheduled time. This report contains a list of all email which was marked as spam or rejected by the reputation filtering system. If the user detects a mail which is a “false positive” (genuine mail which got marked as spam), he has the option to release the mail by clicking on a link in the report or to whitelist the sender such that future mail from this sender wont get marked as spam.

You as a user may whitelist domains and email ids from which you are confident that you will not receive spam. Similarly you may blacklist domains and email ids from which you would not like to receive mail. While the system will accept mail from blacklisted senders, the mail will be marked as spam without any further processing and delivered into your spam folder.

Virus Mail detected as viruses are marked and moved into a quarantine folder and will not be available to the end user. The information about this would not be given to the end users.
Backup <business name> will set process and systems to ensure a daily backup of the mail store and the configuration of the server which will prepare for any disaster recovery if required. However, <business name> will not be responsible for the mail residing on your desktop clients. It is strongly recommended that you use whatever process and systems necessary (or as prescribed by <business name>) to ensure that your client data is fully backed up.
Data Recovery In case you lose mail on your client, the IT team can attempt to restore your mailbox from the personal archive (which will have every mail you sent and received in the last <n> year(s)) if that was configured for your account. If this is not available, and if the latest backup is available, the IT team can try to restore the latest snap shot of your mailbox. However please note that if you were using POP without leave copy, you may not find too many mail in the backup.
Queue lifetimes & Bounces Undeliverable mail will be maintained in the queue for a maximum duration of <n> days (queue lifetime). During this period, the system will attempt to resend the mail at set intervals. If the mail remains undeliverable for the queue lifetime period, the mail is bounced (sent back to the sender with an explanation of the problem)
Uptime <business name> has chosen an architecture to provide the maximum possible uptime and has put in processes and systems to maintain the availability. However this cannot be guaranteed.
Scheduled maintenance From time to time the collaboration solution would need upgrades and other maintenance and <business name> will make all possible attempts to minimise the downtime to end users. We would give sufficient notice to the end users to plan around the maintenance window.

|

Domain Policies A further level of control is provided at the individual domain level, which may further refine the global policies.
Services offered Users of this particular domain can use the following services (which are already enabled in the global policy)

<Chat, Calendar, Email scanning for virus/spam, Email to SMS> <Enlist the available ones for the domain>

Archiving The Personal Archiving service is <enabled/disabled> for users of this domain. This facility allows selected users to have a parallel archive account which serves as a backup for their original mailbox to retrieve selected mail or the entire mailbox in case of any eventuality. A copy of each mail sent and received by the selected users is kept in this parallel archive account for the decided duration (typically one year)

The Compliance Archiving service is <enabled/disabled> for users of this domain. This facility keeps a copy of each mail sent and received by all the users in a central storage, which is encrypted and accessible only via a search interface open to authorised top management and select IT personnel.

|

Global Policies All the below services are available to all users with access and other control parameters defined at the level of the domain and class of service.
Security For users of this COS, Password policies are enabled. These include minimum password length, compulsory complex password entry during reset, and password expiry after the defined period.

For users of this COS, access to the IMAP service is allowed but only from these IPS <list all ips or ip ranges from which it is allowed> OR For users of this COS, access to the IMAP service is disallowed/blocked

For users of this COS, access to the POP service is allowed but only from these IPS <list all ips or ip ranges from which it is allowed> OR For users of this COS, access to the POP service is disallowed/blocked

For users of this COS, access to the HTTP service is allowed but only from these IPS <list all ips or ip ranges from which it is allowed> OR For users of this COS, access to the HTTP service is disallowed/blocked

Users of this COS will have to authenticate to send mail over SMTP.

As part of our mail flow policy control, Users of this cos cannot send mail to <list of domains and/or email ids> and receive mail from <list of domains and/or email ids>. Also none of them can send mail with attachments greater than <n> MB and/or number of attachments greater than <m> and attachments with these extensions <list the extensions which are disallowed>. Also mail with the following text in the subject or body will be disallowed. <Rewrite the above to suit the policy applied>

For all users of this COS, Personal archiving is enabled for a period of 1 year. This means that at any given moment, the users have the option to retrieve mail sent and received by them for a period of 1 year back from today OR For all users of this COS, Personal archiving is disabled. <Change the above statement according to your policy. >

For users of this COS, Compliance Archiving is <enabled/disabled>. This facility keeps a copy of each mail sent and received by all these users in a central storage, which is encrypted and accessible only via a search interface open to authorised top management and select IT personnel.

Mail client For any user of this COS, while using Baya Webmail client, they can send a maximum of <n> attachments with a mail

Similarly, for users of this COS, the cumulative attachment size in a single mail should not exceed <n> MB

For users of this COS, the bcc facility is <available/not available> via Baya

For usrs of this COS, the following features are enabled via the settings page of Baya <Forwarding, Account information updates, Signature, Web calendar, Personal Infor updates, Filters> <Remove the ones not to be visible to the end users>

Mail Storage/Retention For users of this COS, the quota available for their mailbox is <n> MB

For users of this COS, the quota policy applied is to <block sending/block receiving>, when the used mailbox size exceeds the allocated quota

For users of this COS, mail having attachments larger than <n> MB will be automatically stripped of their attachments, kept centrally on the server and a link will be sent to the recipients using which they can retrieve their original mail.

No matter what service or protocol you are allowed to use (POP, IMAP or HTTP), you have to maintain your mailbox within the quota limit specified for you. You may use POP with Leave copy, but if the quota fills up the applicable quota policy will become active, which may prevent you from sending mail OR may prevent you from receiving mail.

Services Users of this COS are <allowed/disallowed> to use the calendar facility

Users of this COS are <allowed/disallowed> to use the SMS facility

Distribution lists Users of this COS are allowed to send mail only to these distribution lists <Enlist all the allowed distribution lists OR all>
Client configurations POP Server: pop.acmecorp.com (mail server's IP)

IMAP Server: imap.acmecorp.com (mail server's IP) SMTP Server: smtp.acmecorp.com (mail server's IP) HTTP Server: mail.acmecorp.com (mail server's IP) LDAP Server: ab.acmecorp.com (mail server's IP) XMPP Server: chat.acmecorp.com (mail server's IP) Calendar Server: calendar.acmecorp.com (mail server's IP) Note: While configuring email access via a desktop client for SMTP/POP/IMAP, you would need to provide the full email id for the user id to enable authentication and authorisation.

Address book client configurations For each desktop client, we would add an LDAP address book, which maps to the LDAP of the server. Depending on the client capability, the addresses can be cached as well. This will be a common address book having all the contacts (directory and GAB)

For backward compatibility, we would maintain the DAB database, but this is not discontinued in Connect XF. The clients would need to change to using the LDAP address book interface on the server.

Password change operation for users This will be disabled on CXF Baya interface since this would have to be done on ADS. You would need to provision an interface on ADS for this if required. We can attach a custom link pointing to this on the Baya interface.

References

Policy statements reproduced in part from: