IOM ITC Policy: Email - International Organization for Migration

IOM ITC Policy: Email
ELECTRONIC mail (email) has become a vital, effective and efficient tool of modern business communications, however, email can be
misused and abused and can generate massive waste of resources. Like any business transaction, email in the organizational context should be
treated as a professional and formal method of correspondence. All IOM staff members’ emails sent/received using IOM email system are official
IOM documents, unless clearly marked as private. This policy provides guidelines for the proper use of email.
1
Mailbox Creation and Deletion
Upon duly completing the Account Creation Form (Refer to
Account and Password Management Policy, section 4 of IT Policies
and Guidelines), each user will be assigned an email address and a mailbox in
the IOM internal email system. Users who leave the Organization, upon
completing the Account Deletion form, will have their mailbox deleted
according to the user account deletion rules defined in Account and Password
Management Policy, section 4 of IT Policies and Guidelines. Separated users
should complete the necessary forms prior to departure to ensure proper
archiving and handover of all files saved in email accounts. Mailboxes are
assigned to individuals. For business purpose some shared mailboxes are
created, such as the department mailboxes that are accessible to several users.
2
Distribution Lists
Global and local email distribution lists are created by the IT staff
upon request. Distribution list owners will be assigned to be
responsible for the maintenance of distribution lists. A user may only be
included in a distribution list upon request to the distribution list owner.
3
Email Security and Authenticity
The authenticity of email accounts should be preserved and users
should apply strict access controls because they are responsible
for all emails sent from their email account. Email correspondence should be
limited to recipients who are carefully chosen and confidential indicators, codes,
or encryption tools should be used to protect the transmission of sensitive
information and personal data of project beneficiaries. Users must not use
another user’s unattended computer to send emails or find any other method
to send a message that does not clearly identify the individual as the sender.
Certain users may be granted permission to send emails on behalf of those
users, but such emails should be clearly identified as being sent by the
individual and it must be signed on behalf of account holder. For sending
messages from shared mailboxes, users must always identify themselves.
4
Prohibited use of email
7
Guiding Principles on email use
Email accounts are created for IOM business purposes. The use of
IOM email for operating a personal business or for any undertaking
that offers personal gain is unacceptable. Users must not use email for
prohibited activities as outlined in the Acceptable Use Policy, section 3 of IT
Policies and Guidelines).
It is important that users are aware that the Organization’s email is
a business communication tool which should be used in a
responsible, effective and lawful manner. Users should keep in mind the
following basic principles when composing and sending emails.
7.1
Role of email
In principle, email is an electronic communication tool that is used to exchange
messages. Compared to the traditional mail, it is similar to memoranda, letters or
documents distributed to individuals or small groups.
7.2
Message content
Email messages should be concise and simple. Whenever possible, the message
should be written directly in the email body and not as an attachment. When
sending personal data of project beneficiaries it should be protected by
confidentiality indicators, codes or encryption in separate attachments (Refer to
the IOM Data Protection Manual (MA/88), Security Principle). IOM recipients,
particularly in the field missions, encounter major problems in downloading
large messages due to the local telecommunication facilities. Users should
therefore refrain from including superfluous items, such as images or icons, as
well as a letter header in emails, because they are in most cases not useful and
are heavy in terms of size.
7.3
Recipients of email
Distribution lists should be used selectively and messages should only be
addressed to recipients who have a direct interest in the content of the email. It
is required to avoid too many addresses in the TO list, particularly when actions
are requested, because unless specifically noted in the body of the message, it
creates confusion about who should take action. When replying to a message,
the Reply to All should be avoided if it is not necessary and the address list
should be modified to include only those concerned. The subject line of the
email should be clear and should relate to the content of the message. Users
should sign the message as the sender, even if it is sent from a department
mailbox or another user account, and IOM website address should be included
at the end of the signature.
7.4
Email option tools
With Microsoft Outlook, users have a wide variety of option tools at their
disposal, such as deliver, read receipt, importance or sensitivity of the message,
and the option of flagging messages (i.e. for review, reply, or follow‐up). When
appropriate, these option tools may be used without restrictions. However, some
should be used with caution, especially the “High” importance option, which
should be reserved for urgent messages, because if used too often it will detract
from the importance of the message. The read receipt notification should only
be used if required.
7.5
Attachments
Attachments should be opened and sent with care as viruses use email as a
channel to attack, spread and infect the network system. Users should apply
caution when receiving non‐work related email messages even if it is from
known senders. Users should avoid sending chain emails with suspicious
attachments and should be aware of email hoaxes.
Virus and Spam Protection
It is the policy of the Organization to scan all incoming emails for
viruses. Emails containing any form of malicious software will be
deleted from the system automatically, without notification to the sender or
intended recipient. As a precaution, the ITC Division runs an Anti‐SPAM engine
with specified blocking rules in order to avoid SPAM. Suspicious emails are
blocked and a notification is sent to the user who can unlock the message if sent
from a reliable source. However, the Anti‐SPAM engine may not capture all SPAM
messages in 100% of the cases. Users should be aware that very few legitimate
messages may be classified as SPAM, but only in rare occasions. If known
business‐related messages are not delivered, users should check their
quarantine message. If the message is not there, users should call the IT
Helpdesk. It is the responsibility of the particular user and the relevant ITC officer
to ensure that proper security settings are implemented on each workstation
(Refer to ITC Standards and Guidelines, Instruction 88). As with any other types
of software that runs over a network system, email users have the responsibility
to follow sound security practices. Email users should be aware of the following:
a. Email users must be alert to suspicious messages and refrain from opening
email that they are not familiar with;
b. Attachments can contain viruses and other malware. Users should only open
attachments from known and trusted correspondents or sources. Suspicious
attachments should be reported to the IT Helpdesk.
5
6
Disclaimer
All outgoing emails have been automated with the following
disclaimer:
“This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. If this email has been sent to
you by error, please notify the sender immediately and then delete the email
from your system. Any views expressed in this message are those of the
individual sender, except where the sender specifically states them to be the
views of the Organization.” Email users must keep this disclaimer on all IOM
outgoing messages to protect the interests of the Organization.
7.6
Cleaning/organizing mailboxes
Users should keep their mailbox organized and delete all non‐essential email
over 30 days old. Other emails to be retained should be moved to personal
folders or archived in electronic storage areas. Cleaning mailboxes regularly
will facilitate the management of the information stored therein. Some of these
tasks might be automated by creating rules (see “Rules and Alerts” option in
“Tools” menu). There are also archiving possibilities available through the use of
personal folders (PST files) provided by Microsoft Outlook.
7.7
Size of mailbox and email
Users should note that mailboxes have a maximum size to allow for an
acceptable level of storage space on the IOM server. When the limit of the
mailbox capacity is reached, the user will not be able to send new messages
until the mailbox size is reduced. In order to avoid congestion of the email
network system, limits will be defined by ITC for the size of outgoing and
incoming emails. Users should keep the size of email messages as small as
possible and avoid including superfluous items (images, icons, etc.).
7.8
Handling large email
Large emails should be limited as much as possible. Different techniques can
be used to keep the size of a message below the limits and each computer
should have software installed for implementing techniques such as WinZip
for archiving or compressing files and Adobe Tools for PDF conversion. Users
should consult with their ITC officer on appropriate methods of sharing large
files, rather than sending them through email.
7.9
Handling of confidential and/or sensitive data
Users should be aware of the risks of sending emails that infringe upon data
protection, confidentiality and information privacy rights. The content, email
recipients and any possible implications of an outgoing message should be
considered before sending it. Sensitive information and personal data
transmitted via email over the Internet is not safe. It can be read by
unintended recipients and malicious third parties could potentially intercept
and manipulate email traffic. Therefore, users should not use email to transfer
sensitive information and personal data, such as credentials, personal data
and case specific details of project beneficiaries, social security numbers and
account numbers without the necessary security safeguard such as
encryption. Users should limit email recipients on a need to know basis and,
where appropriate, use confidentiality indicators/disclaimers, encryption,
codes or pseudonyms to protect confidentiality during email transmission.
Users should not respond to any request from an unknown sender to disclose
any information and data. Such disclosure requests should be forwarded to
the IT Helpdesk or escalated to the ITC Division (itcdpt@iom.int).
7.10
Email etiquette
The IOM Staff Regulations and Rules and the IOM Standards of Conduct
(IN/15) apply to the use of email. All emails should be professional and
courteous. Users must not create and send emails that in anyway compromise
IOM’s image and credibility, this includes sending chain messages, defamatory
notes, harassment, publishing personal views and opinions, or derogatory
and discriminatory comments on race, gender, religion, colour, national origin,
marital status, sexual orientation, age physical disability or political conviction.
All users should carefully consider how the recipient might interpret a
message before composing or sending the message. Responses to emails
should not be emotional and it is prudent to occasionally save the reply
message without sending it, wait a few hours, and read it again before
sending it.
7.11
Proper use of email
Email should not be used as a publication system. Other tools such as the IOM
Intranet is a better platform for publication (for example, users should not use
email to send notification of office closure or holidays to All Users/All Missions;
instead the IOM Intranet should be used to post such messages).