Clear rules make stronger defenses, and this tool is designed to help organizations strengthen governance and reduce misuse risk by assessing how effectively their internet and email usage policies protect systems, data and reputation. This Internet and Email Acceptable Use Policy supports internal audit, IT, and compliance teams in evaluating whether acceptable-use expectations are clearly defined, consistently applied, and aligned with security and regulatory requirements.

This tool includes four samples to support different policy and audit needs. Sample 1 presents a comprehensive, enterprise-wide acceptable-use policy covering internet and email access with detailed security guidance. Sample 2 focuses specifically on email use, offering a more concise policy centered on permissible and prohibited activities. Sample 3 addresses both company and personal webmail, incorporating modern workforce and data protection considerations. Sample 4 is a detailed audit program that walks auditors through procedures to assess email surveillance, privacy, security and compliance controls in depth.

Sample procedures include:

• Do not transmit proprietary or confidential materials over any public computer system unless properly encrypted.
• Email backups are created for business recovery. Electronic information is subject to the legal discovery process and can be subpoenaed.
• Users with personal email accounts that are accessible by way of a webmail portal must keep access to personal email minimal.