IOM ITC Policy: Email - International Organization for Migration
Transcription
IOM ITC Policy: Email - International Organization for Migration
IOM ITC Policy: Email ELECTRONIC mail (email) has become a vital, effective and efficient tool of modern business communications, however, email can be misused and abused and can generate massive waste of resources. Like any business transaction, email in the organizational context should be treated as a professional and formal method of correspondence. All IOM staff members’ emails sent/received using IOM email system are official IOM documents, unless clearly marked as private. This policy provides guidelines for the proper use of email. 1 Mailbox Creation and Deletion Upon duly completing the Account Creation Form (Refer to Account and Password Management Policy, section 4 of IT Policies and Guidelines), each user will be assigned an email address and a mailbox in the IOM internal email system. Users who leave the Organization, upon completing the Account Deletion form, will have their mailbox deleted according to the user account deletion rules defined in Account and Password Management Policy, section 4 of IT Policies and Guidelines. Separated users should complete the necessary forms prior to departure to ensure proper archiving and handover of all files saved in email accounts. Mailboxes are assigned to individuals. For business purpose some shared mailboxes are created, such as the department mailboxes that are accessible to several users. 2 Distribution Lists Global and local email distribution lists are created by the IT staff upon request. Distribution list owners will be assigned to be responsible for the maintenance of distribution lists. A user may only be included in a distribution list upon request to the distribution list owner. 3 Email Security and Authenticity The authenticity of email accounts should be preserved and users should apply strict access controls because they are responsible for all emails sent from their email account. Email correspondence should be limited to recipients who are carefully chosen and confidential indicators, codes, or encryption tools should be used to protect the transmission of sensitive information and personal data of project beneficiaries. Users must not use another user’s unattended computer to send emails or find any other method to send a message that does not clearly identify the individual as the sender. Certain users may be granted permission to send emails on behalf of those users, but such emails should be clearly identified as being sent by the individual and it must be signed on behalf of account holder. For sending messages from shared mailboxes, users must always identify themselves. 4 Prohibited use of email 7 Guiding Principles on email use Email accounts are created for IOM business purposes. The use of IOM email for operating a personal business or for any undertaking that offers personal gain is unacceptable. Users must not use email for prohibited activities as outlined in the Acceptable Use Policy, section 3 of IT Policies and Guidelines). It is important that users are aware that the Organization’s email is a business communication tool which should be used in a responsible, effective and lawful manner. Users should keep in mind the following basic principles when composing and sending emails. 7.1 Role of email In principle, email is an electronic communication tool that is used to exchange messages. Compared to the traditional mail, it is similar to memoranda, letters or documents distributed to individuals or small groups. 7.2 Message content Email messages should be concise and simple. Whenever possible, the message should be written directly in the email body and not as an attachment. When sending personal data of project beneficiaries it should be protected by confidentiality indicators, codes or encryption in separate attachments (Refer to the IOM Data Protection Manual (MA/88), Security Principle). IOM recipients, particularly in the field missions, encounter major problems in downloading large messages due to the local telecommunication facilities. Users should therefore refrain from including superfluous items, such as images or icons, as well as a letter header in emails, because they are in most cases not useful and are heavy in terms of size. 7.3 Recipients of email Distribution lists should be used selectively and messages should only be addressed to recipients who have a direct interest in the content of the email. It is required to avoid too many addresses in the TO list, particularly when actions are requested, because unless specifically noted in the body of the message, it creates confusion about who should take action. When replying to a message, the Reply to All should be avoided if it is not necessary and the address list should be modified to include only those concerned. The subject line of the email should be clear and should relate to the content of the message. Users should sign the message as the sender, even if it is sent from a department mailbox or another user account, and IOM website address should be included at the end of the signature. 7.4 Email option tools With Microsoft Outlook, users have a wide variety of option tools at their disposal, such as deliver, read receipt, importance or sensitivity of the message, and the option of flagging messages (i.e. for review, reply, or follow‐up). When appropriate, these option tools may be used without restrictions. However, some should be used with caution, especially the “High” importance option, which should be reserved for urgent messages, because if used too often it will detract from the importance of the message. The read receipt notification should only be used if required. 7.5 Attachments Attachments should be opened and sent with care as viruses use email as a channel to attack, spread and infect the network system. Users should apply caution when receiving non‐work related email messages even if it is from known senders. Users should avoid sending chain emails with suspicious attachments and should be aware of email hoaxes. Virus and Spam Protection It is the policy of the Organization to scan all incoming emails for viruses. Emails containing any form of malicious software will be deleted from the system automatically, without notification to the sender or intended recipient. As a precaution, the ITC Division runs an Anti‐SPAM engine with specified blocking rules in order to avoid SPAM. Suspicious emails are blocked and a notification is sent to the user who can unlock the message if sent from a reliable source. However, the Anti‐SPAM engine may not capture all SPAM messages in 100% of the cases. Users should be aware that very few legitimate messages may be classified as SPAM, but only in rare occasions. If known business‐related messages are not delivered, users should check their quarantine message. If the message is not there, users should call the IT Helpdesk. It is the responsibility of the particular user and the relevant ITC officer to ensure that proper security settings are implemented on each workstation (Refer to ITC Standards and Guidelines, Instruction 88). As with any other types of software that runs over a network system, email users have the responsibility to follow sound security practices. Email users should be aware of the following: a. Email users must be alert to suspicious messages and refrain from opening email that they are not familiar with; b. Attachments can contain viruses and other malware. Users should only open attachments from known and trusted correspondents or sources. Suspicious attachments should be reported to the IT Helpdesk. 5 6 Disclaimer All outgoing emails have been automated with the following disclaimer: “This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. If this email has been sent to you by error, please notify the sender immediately and then delete the email from your system. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of the Organization.” Email users must keep this disclaimer on all IOM outgoing messages to protect the interests of the Organization. 7.6 Cleaning/organizing mailboxes Users should keep their mailbox organized and delete all non‐essential email over 30 days old. Other emails to be retained should be moved to personal folders or archived in electronic storage areas. Cleaning mailboxes regularly will facilitate the management of the information stored therein. Some of these tasks might be automated by creating rules (see “Rules and Alerts” option in “Tools” menu). There are also archiving possibilities available through the use of personal folders (PST files) provided by Microsoft Outlook. 7.7 Size of mailbox and email Users should note that mailboxes have a maximum size to allow for an acceptable level of storage space on the IOM server. When the limit of the mailbox capacity is reached, the user will not be able to send new messages until the mailbox size is reduced. In order to avoid congestion of the email network system, limits will be defined by ITC for the size of outgoing and incoming emails. Users should keep the size of email messages as small as possible and avoid including superfluous items (images, icons, etc.). 7.8 Handling large email Large emails should be limited as much as possible. Different techniques can be used to keep the size of a message below the limits and each computer should have software installed for implementing techniques such as WinZip for archiving or compressing files and Adobe Tools for PDF conversion. Users should consult with their ITC officer on appropriate methods of sharing large files, rather than sending them through email. 7.9 Handling of confidential and/or sensitive data Users should be aware of the risks of sending emails that infringe upon data protection, confidentiality and information privacy rights. The content, email recipients and any possible implications of an outgoing message should be considered before sending it. Sensitive information and personal data transmitted via email over the Internet is not safe. It can be read by unintended recipients and malicious third parties could potentially intercept and manipulate email traffic. Therefore, users should not use email to transfer sensitive information and personal data, such as credentials, personal data and case specific details of project beneficiaries, social security numbers and account numbers without the necessary security safeguard such as encryption. Users should limit email recipients on a need to know basis and, where appropriate, use confidentiality indicators/disclaimers, encryption, codes or pseudonyms to protect confidentiality during email transmission. Users should not respond to any request from an unknown sender to disclose any information and data. Such disclosure requests should be forwarded to the IT Helpdesk or escalated to the ITC Division (itcdpt@iom.int). 7.10 Email etiquette The IOM Staff Regulations and Rules and the IOM Standards of Conduct (IN/15) apply to the use of email. All emails should be professional and courteous. Users must not create and send emails that in anyway compromise IOM’s image and credibility, this includes sending chain messages, defamatory notes, harassment, publishing personal views and opinions, or derogatory and discriminatory comments on race, gender, religion, colour, national origin, marital status, sexual orientation, age physical disability or political conviction. All users should carefully consider how the recipient might interpret a message before composing or sending the message. Responses to emails should not be emotional and it is prudent to occasionally save the reply message without sending it, wait a few hours, and read it again before sending it. 7.11 Proper use of email Email should not be used as a publication system. Other tools such as the IOM Intranet is a better platform for publication (for example, users should not use email to send notification of office closure or holidays to All Users/All Missions; instead the IOM Intranet should be used to post such messages).