'
Special Feature
Part of a ZDNet Special Feature: A Winning Strategy for Cybersecurity

Electronic communication: What needs to be in a good policy

Organizations need to set up clear guidelines on how employees can use company platforms and how data needs to be managed.

When it comes to essential security requirements for businesses, the electronic communications policy is decidedly unsexy. A painstakingly detailed document is rarely read in full outside of the employee onboarding process, and often languishes, unchecked, in the abyss of corporate paperwork.

That said, an electronic communications policy serves as the foundation for basic internet safety guidelines, business instant messaging practices, email standards, and general corporate policy for today's digital workplace. Without a solid policy in place, businesses open themselves up to a bevy of security issues, potential employee mishaps, and sometimes serious legal challenges.

What does a good policy look like?

In general, an electronic communications policy needs to be comprehensive -- meaning it covers all forms of electronic communication -- and well-defined.

Special feature

Special report: A winning strategy for cybersecurity (free PDF)

This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets.

Read More

"It's important to identify scope and purpose to help employees understand what you mean by electronic communications, and why this policy exists," said Heidi Shey, a senior analyst with research firm Forrester. "Does this only apply to email? What about VoIP calls, or texting, chat and messaging apps? Without a well-thought policy, everyone makes their own assumptions about what is acceptable use, and people may not know what they don't know about risks to the enterprise with using different forms of electronic communications."

Shey said it's also important to avoid making assumptions about the reader and to use clear, concise language that employees understand. A policy document should also provide a date for when it was last updated and a contact person for employees to go to if they have questions or concerns.

The most comprehensive, well-defined communications policies are usually written by a team of experts within an organization, spanning the departments of human resources, legal, audit and compliance, and information technology.

"That's because the document isn't about any one of these things individually," said Sean Pike, program VP for IDC's security products group. "It's about reducing risk throughout the business."

As far as terminology goes, the common bullet points in an electronic communications policy include:

  1. Guidelines on the appropriate use of email and other communication platforms
  2. Retention policies
  3. Proper internet usage

The policy should also contain clear language about prohibited uses of email, messaging platforms, internet and other electronic communications, as well as consequences and disciplinary actions for policy violations.

The security rationale

When it comes to email usage, the communications policy should set standards for appropriate content to send under the company banner, as well as rules for acceptable use and behavior, like avoiding personal messages and maintaining professionalism.

Precise guidelines are also needed to ensure that certain types of information remain within the confines of the business and only reach the eyes of intended recipients.

"The drivers are are often risk or regulation," said Pike. "Accidentally leaking corporate crown-jewel intellectual property via email could be devastating, and accidentally emailing unencrypted personally identifiable information of customers could also create challenges."

Proper email usage is also key to preventing phishing scenarios. Corporate employees should be well-trained to avoid email that looks suspicious, and up-to-date anti-phishing training should be part of the email regimen in an effort to reduce security risks.

Policies surrounding email retention are needed to help companies ensure that they meet various data protection or retention requirements for relevant regulations, explained Shey. In healthcare, for instance, the Health Insurance Portability and Accountability Act (HIPAA) requires health care businesses to encrypt health data in transit and storage.

For financial services, the Financial Industry Regulatory Authority (FINRA) has issued guidance for social media and digital communications that requires archiving text messages for records retention purposes.

"This is so employees who are communicating with each other or clients using text messaging or a chat app for business purposes don't put the company at risk of non-compliance and possible data leakage," Shey said.

Both usage and leakage are important for internet guidelines as well. For the most part, companies want to make sure that users only go to approved web resources to reduce the risk of viruses or downloading unapproved software. Some companies even have policies that dictate behavior on an employee's personal social media accounts to reduce brand risk.

The exact details of a communications policy will vary depending on an organization's precise needs, but Pike noted that modern policies have trended toward being longer and more specific to ensure that every calculable risk is managed.

"There are plenty of ways to be destructive with communication, whether that's leaking information -- accidentally or purposefully -- or creating hostility toward a coworker," said Pike. "At the end of the day, these policies are in place to establish the way companies believe employees should act, or must act, given corporate culture or legal and regulatory obligations."

Sample policies

If you need a place to start in creating or updating your company's policies, these templates from our sister site Tech Pro Research (a paid resource) can help:

Also see

leading policies
Image: iStockphoto/phototechno