January 2006

Best Practices for Developing Online Communication Guidelines

Establishing effective online communication policies and procedures may prevent employee misuse of corporate resources and promote compliance with internal regulations.

Nancy Flynn
Executive Director
The ePolicy Institute

The proliferation of electronic communication programs at work, such as e-mail, instant messaging (IM), Weblogs, peer-to-peer (P2P) software, and voice over Internet protocol (VoIP) services may put company assets at risk. An employee's accidental misuse or intentional abuse of these technologies could create costly and time-consuming legal, regulatory, security, and productivity headaches for organizations. Establishing electronic policies (e-policies) and procedures that outline the proper use of these technologies will save businesses time, money, and effort in the short and long run.

Internal auditors are in a unique position to help companies protect their online communication assets from employee misbehavior or illegal activities by recommending e-policies and procedures that prevent unauthorized use of business resources. Below is a series of best practices organizations can use when developing their own policies and procedures governing the proper use of electronic communication tools and programs. Understanding these practices will help executives, IT departments, and auditors ensure employees are using company resources properly, while enhancing work productivity and promoting compliance with internal regulations.

THE THREE "Es" OF ELECTRONIC RISK MANAGEMENT

To reduce security risks and prevent accidental or intentional abuse of online communication programs — such as e-mail, IM, blogs, P2P, and VoIP — internal auditors can advise organizations to implement best practices that outline the proper ways to use these programs in partnership with the IT and human resources (HR) departments. Before, during, and after a corporate e-policy program is established, organizations should follow the three E's of electronic risk management:

  • Establishing comprehensive and clearly written policies and procedures that describe the allowed uses for all online communication programs and tools, including the Internet, P2P, blogs, e-mail, and IM. Organizations need to ensure employees can access all e-policies easily, as well as understand and adhere to these policies. One way to enhance compliance with e-policies is by avoiding vague language that may leave the policy open to individual interpretation. Organizations also must update e-policies annually to make sure they have rules in place that govern new and growing risks, such as the use of Weblogs (i.e., online journals or newsletters intended for the general public), broadcasted audio content via really simple syndication feeds (i.e., podcasting), and other emerging technologies.
  • Educating employees. Organizations must support their e-policies and procedures with employee training. All directors and supervisors must make sure employees understand that policy compliance is mandatory for all staff.
  • Enforcing policies and procedures with a combination of disciplinary action and software. Executives should consider using a technological solution to monitor employee computer activities for better compliance assurance. For example, some IT solutions block Internet access to inappropriate sites and monitor employees’ online activities in real time. Organizations also should apply discipline consistently to demonstrate that management is serious about all policy compliance. Failure to discipline employees for e-mail-related misconduct, for instance, may encourage other staff to abuse the system and could create liability concerns for the organization.

Following these three simple steps will help organizations implement policies and procedures that are effective and are applied to all employees. In addition, education programs should remind employees that the Internet is a company tool to be used primarily for authorized business-related activities such as research. E-policies should prohibit wasteful and potentially risky Internet activities, including visiting online dating services, playing games, participating in chat rooms, gambling, shopping, and downloading streaming audio, video, and other bandwidth-consuming files. In addition, e-policies should inform employees they are prohibited from using a company's system to view, download, upload, forward, print, copy, or file objectionable and nonbusiness-related content.

Another reason to develop e-policies and procedures is the legal principle of “vicarious liability,” which holds companies responsible for the misconduct of their employees — even if the employer is completely unaware there is a problem. Therefore, under the principle of vicarious liability, a company may be held responsible by a court or regulatory body whether employees intentionally violate Internet policy or accidentally visit an objectionable Web site. Monitoring software can help organizations reduce employee misconduct by alerting executives of any e-policy compliance breaches as they occur. Companies should choose monitoring technology solutions that allow them to customize programs based on user needs, monitoring concerns, and information filtering and blocking requirements.

E-POLICY BEST PRACTICES

Employers are responsible for maintaining a harassment-free, discrimination-free, crime-free, and civil working environment. The development, implementation, and enforcement of comprehensive e-policies can help organizations accomplish this goal. Following is a list of best practices companies should keep in mind when developing their own e-policies and procedures:

  1. Put electronic policies in writing and distribute a hard copy to all employees. Companies should make sure all employees sign and date each policy and retain a signed copy in the employee's HR personnel file. Signing the document acknowledges employees have read it, understand it, and agree to comply with the policy or accept disciplinary action up to, and including, termination.
  2. Educate employees about corporate policies and the consequences of noncompliance. Executives can't assume employees understand the risks associated with use of the Internet at work and shouldn't expect them to comply with corporate policies without training. After all, companies may need to demonstrate their commitment to e-policy training in court one day. Therefore, organizations must ensure everyone in the company who attends training signs an acknowledgment form stating he or she has been trained, understands the policy, and knows the consequences of noncompliance and risky online behavior.
  3. Incorporate e-mail and IM retention guidelines. E-policies should state that all digital communication exchanges, including e-mails, instant messages, Weblog posts, and VoIP calls, will be treated as business records. As a result, e-policies and procedures should outline the proper steps to retain and archive all electronic business records.
  4. Set rules for personal use. E-policies must state exactly how much personal use is allowed for each program or application and use specific language that is not open to individual interpretation.
  5. Reiterate the organization's sexual harassment and discrimination policies. Make sure employees understand that the rules and policies governing sexual and racial harassment and discrimination also apply to employee use of the company’s computer system.
  6. Address ownership and privacy issues. HR departments and supervisors should inform employees they have no reasonable expectation of privacy when using the computer system. For example, if the company chooses to monitor Internet activity, the policy should clearly say so. Organizations also need to ensure their monitoring activities are lawful. In the United States, the Electronic Communications Privacy Act of 1986 gives employers the right to monitor all activity and transmissions on a company’s computer system. As a result, employers should check to make sure their e-policies are compliant with the laws and regulations governing workplace computer use in the states or countries in which they operate.
  7. Institute clear content rules and language guidelines. The e-policy should stipulate approved and banned language and content, as well as the proper business etiquette to follow when communicating online (e.g., how to draft proper e-mails sent through the company's e-mail exchange server).
  8. Support all e-policies with technology. Because accidents happen and rogue employees occasionally trigger intentional disasters, it is almost impossible to ensure 100 percent compliance. As a result, organizations should consider supporting their e-policies with software designed to monitor content and block inappropriate use.

In addition to what organizations should do, there are a number of key actions companies must avoid. Below is a summary of each:

  1. Don't create separate policies for different employees. Establish corporate electronic rules, policies, and procedures that apply to all employees equally. Companies should never create separate policies for executives or allow individual offices to set their own Internet, P2P, e-mail, Weblog, VoIP, or IM policies. For example, allowing each division or office to establish its own policy or applying different discipline rules for different employees (e.g., rules based on title or rank) might suggest the organization doesn't take its policy seriously. Furthermore, it might suggest that the company would be willing to overlook some policy violations or illegalities, depending on the offender's title or rank.
  2. Don't forget international associates. Some countries outlaw computer monitoring. If an organization has employees or offices operating in a foreign country, companies need to consult their legal team to understand the implications of the country's laws before drafting companywide online communication policies and procedures.
  3. Don't take enforcement of e-policies lightly. A team of upper-level employees should develop, implement, and enforce all e-policies. Ideally, this team should include legal, IT, HR, training, and records management staff. The organization also needs to establish specific penalties for policy violations and enforce penalties consistently.
  4. Don't leave compliance to chance. The most effective way to reduce Internet, e-mail, and IM risks is to combine written policy with ongoing employee education backed by content management and monitoring technology.

MOVING FORWARD

Managing an organization's electronic liabilities today is preferable to responding to disaster tomorrow. The best practices above will help companies develop and implement effective e-policies and procedures and, in the process, enable compliant, safe, and secure electronic communications that are less likely to trigger a workplace lawsuit, regulatory investigation, security breach, or other electronic disaster. Internal auditors can use these best practices as guidelines when reviewing corporate policies and procedures, while helping organizations enhance work productivity and creating a more secure online work environment.

ADDITIONAL RESOURCES

The following links provide sample e-policies for organizations looking to develop more effective online communication procedures:

Nancy Flynn is the founder and executive director of The ePolicy Institute, a U.S.-based organization dedicated to helping employers limit electronic risks through the development and implementation of effective e-mail, Internet, and software policies. The institute offers online sources of electronic policy books and training tools. Flynn has conducted hundreds of seminars on the subject of electronic policy and written various books, including The ePolicy Handbook: Designing and Implementing Effective E-mail, Internet, and Software Policies and Writing Effective E-mail: Improving Your Electronic Communication.


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:


To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

 

Subscribe_June 2014