Introduction
The electronic mail (e-mail) systems provided by or used at
True Value Company are intended to assist employees and vendors in carrying out corporate business by facilitating communication between individuals and work groups. The intent of this Policy and its Standards is to address the use of, access to, review, and disclosure of e-mail messages transmitted through
True Value's systems.
Policy Statement
Corporate e-mail systems are to be used for True Value
related business purposes only. True Value treats all e-mail messages sent, received, and/or stored in its systems as corporate records. Corporate e-mail systems must not be used to continue, distribute, or circulate chain letters and inappropriate/offensive content.
True Value does not assure any personal right of privacy for any e-mail message or document transmitted through the use of corporate equipment or systems.
True Value reserves the right to access all e-mail messages transmitted through corporate equipment or systems, without prior notice, and to disclose the message to any person or entity that
True Value deems appropriate. True Value retains the right to determine the acceptable use of its e-mail systems.
Standards
Management’s Right to Access Information
E-mail messages are company records. The content of e-mail, properly obtained for legitimate business purposes, may be disclosed within the Company without user permission. Therefore, it should not be assumed that messages are confidential. Backup copies of e-mail messages may be maintained and referenced for business and legal reasons.
The Company may inspect the contents of electronic messages:
- In the course of an investigation triggered by the indication of impropriety, as necessary to locate substantive information that is not readily available by some other means
- In the process of correcting a problem with a respective electronic mail tool where no other alternative is available
- At any time the Company deems it necessary
Requests to access the content of electronic mail messages must be approved in advance by the Sr. V.P. of Human Resources.
Message Content
The use of e-mail to transmit any message or file whose content violates any
True Value Policy or state or federal law is prohibited.
Examples of prohibited use include, but are not limited to:
- Communications that contain defamatory, sexually-oriented, obscene, offensive, threatening, or harassing language, pictures and/or videos
- Files that contain copyrighted materials for which required permission to use or distribute was not obtained
Message Integrity and Disclosure
Incidental use of the e-mail systems to transmit messages of a personal nature will be treated by
True Value no differently than True Value related business e-mail messages.
Safeguards of E-mail systems
Employees are prohibited from the unauthorized use of the password and encryption keys of other employees to gain access to another employee's e-mail messages. Only senior management can authorize such use. Message encryption features of the e-mail system should be enabled when allowed by law.
Local copies of a user's GroupWise mailbox should have the password set. This will prevent somebody from opening the local mailbox without knowledge of the user's
GroupWise password. The local mailbox contains a replicated copy of the user's
GroupWise mailbox and calendar.
Internet E-mail
The True Value mail system can send and receive Internet mail messages. Unauthorized use of external mail services (examples: AOL mail, MSN mail, CompuServe mail) for company correspondence is expressly forbidden (authorization must be obtained from Information Security in World Headquarters). To use Internet electronic mail appropriately, the following must be done:
- Treat all information put into Internet electronic mail as if it were publicly available information. Internet electronic mail is susceptible to interception, redirection, or loss. As a result, electronic mail through the Internet must not be used as a secure method of communications for sensitive information.
- Treat all electronic mail correspondence as if it is a potential record that can be used in litigation. (Legal precedents exist where electronic mail has been subject to discovery in lawsuits.) Do not put information in Internet electronic mail correspondence that you would not put on
True Value letterhead paper correspondence.
E-mail must NOT be used on the Internet to:
- Develop business processes that depend on guaranteed or reliable message delivery through the Internet unless the inherent unreliability of the Internet is accounted for in the process. Internet electronic mail is frequently delayed or lost and can not be counted on as a totally reliable message delivery system
- Send or receive information with inappropriate humor or graphics. Use of electronic mail on the Internet must be in accordance with other
True Value Company policies
- Distribute chain letters
- Distribute personal opinions that do not reflect the stated position of
True Value
- Distribute information that may be sensitive to True Value
Other E-mail Considerations
E-mail and electronic scheduling are excellent tools for communicating, sharing documents, and scheduling meetings. These tools can reduce the time required to share information and enhance business processes. However, information transmitted via e-mail can be vulnerable to a variety of security and confidentiality threats. Additional considerations when using e-mail include:
- Erasing a message from personal files does not necessarily erase all copies of the message. The message may have been forwarded, printed, or archived and may be stored for substantial periods of time
- Federal law does not establish a general right to privacy in the work place
- E-mail can be connected by gateways to other e-mail systems
- E-mail may include attachments in electronic form and may be saved as files in a directory that is not encrypted
- Computer viruses can be spread via e-mail systems
- E-mail messages can be "blind copied" to other e-mail users (E-mail can be forwarded without all recipients names displayed on the message).
Responsibilities
Local
Area Network (LAN) and e-mail administrators are responsible for:
- Implementing safeguards that ensure proper use of e-mail systems and
the protection of Corporate information
- Purge e-mail after 1 year. E-mail messages, attachments, and
calendars use shared resources that must be used efficiently.
Department
managers are responsible for:
- Ensuring that all employees and service providers comply with this
Policy and its related Standards
- Notifying the HR department of terminated and transferred employees
- Notifying the Information Systems Security Administration of
terminated consultants and/or external providers who were allowed email
access to the corporate network.
- Approving extended access to terminated consultants and/or external
providers who were allowed email access and notifying Information Systems
Security Administration of such request.
Extended access will be limited to 2 weeks after formal notification
of termination or account expiration. Requests for extended access to a
deactivated/expired account must be approved V.P. of the business area
requesting the extension.
HR
Department is responsible for:
- Notifying the Information Systems Security Administration office of
terminated and transferred employees.
- Approving extended access to deactivated employee email upon
management request and notifying Information Systems Security Administration
of such request. Extended access
will be limited to 2 weeks after formal notification of user deactivation.
Requests for extended access to a deactivated account must be
approved Sr. V.P. of Human Resources.
User
responsibilities are to:
- Comply with all company policies and standards
- Exit or password-protect their workstation when it is left
unattended
- Delete or archive e-mail messages within a reasonable period of
time. E-mail messages, attachments, and calendars utilize disk space that is
shared among many other users and must be treated as a shared resource
- Use e-mail consistent with its intended purpose. Do not use e-mail
as a replacement for file transfer utilities. Attachments should be a
business document of a reasonable size, not data files
- Change passwords in accordance with Corporate standards
- Use e-mail consistent with its intended purpose. Do not use an
e-mail account assigned to another individual to either send or receive
messages. Use features/facilities such as message forwarding to allow others
read access to personal mail messages
References
See Chapter 6 Access Controls for more information on password security standards.
See Chapter 3 for additional standards related to the e-mail over the Internet.
See Appendix E: Laptop Security for more information on securing PCs and laptops.