1.0 Overview
Electronic email is extensively used across various industry verticals and serves as the primary method of communication and awareness within an organization. However, improper use of email can introduce legal, privacy, and security risks. It is crucial for users to understand the appropriate use of electronic communications in order to mitigate these risks.
2.0 Purpose
The purpose of this Email Policy is to ensure the proper use of Voyages Encore Travel Inc.'s ("Encore") email systems and inform users about Encore's acceptable and unacceptable use of its email system. This policy establishes the minimum requirements for email usage within the Encore Network.
3.0 Scope
This policy applies to the appropriate use of any email sent from an Encore email address and is applicable to all employees, vendors, contractors, consultants, and agents operating on behalf of Encore.
4.0 Policy
- All email usage must comply with Encore's policies and procedures governing ethical conduct, safety, compliance with applicable laws, and proper business practices.
- Encore email accounts must be used primarily for Encore business-related purposes. Limited personal communication is permitted, but non-Encore-related commercial uses are prohibited.
- All Encore data contained within an email message or attachment must be secured in accordance with the Data Protection Standard.
- Email should only be retained if it qualifies as an Encore business record. An email is considered an Encore business record if there is a legitimate and ongoing business reason to preserve the information contained therein.
- Emails identified as Encore business records must be retained in accordance with the Encore Record Retention Schedule, as outlined in the Data Retention & Disposal Policy.
- The Encore email system must not be used to create or distribute any disruptive or offensive messages, including offensive comments related to race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practices, political beliefs, or national origin. Any employee receiving such emails from an Encore employee should promptly report the matter to their manager.
- Users are prohibited from automatically forwarding Encore email to third-party email systems, as outlined in the next line. Individual messages forwarded by users must not contain confidential or above information.
- Users are prohibited from using third-party email systems and storage servers, such as Google, Yahoo, and MSN Hotmail, for Encore business purposes, creating binding transactions, or storing or retaining email on behalf of Encore. Such communications and transactions must be conducted through approved Encore systems.
- Reasonable personal use of Encore resources for email is acceptable. However, non-work-related emails must be saved in a separate folder from work-related emails. Sending chain letters or joke emails from an Encore email account is prohibited.
- Encore employees should have no expectation of privacy for any content stored, sent, or received on the company's email system. Encore reserves the right to monitor email messages without prior notice, although it is not obligated to do so.
4.1 Encryption
Email communications containing sensitive information or Personally Identifiable Information ("PII") must be encrypted during transit. Encore employs encryption mechanisms to protect the confidentiality and integrity of email messages and attachments. Users must utilize encryption features provided by the Encore email system when sending sensitive or confidential information via email.
4.2 Spam Filtering
Encore has implemented robust spam filtering measures to minimize the risk of unsolicited and malicious emails reaching users' inboxes. The spam filtering system is designed to detect and block spam, phishing attempts, malware, and other potentially harmful content. Users should report any suspicious emails that bypass the spam filter to IT Management immediately.
4.3 Phishing Awareness Training
To mitigate the risk of falling victim to phishing attacks, Encore provides regular phishing awareness training to all employees, vendors, contractors, consultants, and agents. This training educates users on the common signs of phishing emails, best practices for identifying and reporting phishing attempts, and the importance of not clicking on suspicious links or providing sensitive information in response to email requests. Users are required to participate in and successfully complete the phishing awareness training program.
4.4 CASL Legislation Compliance
Encore adheres to the requirements outlined in the Canadian Anti-Spam Legislation ("CASL"). Users must ensure that any email communications sent to recipients in Canada comply with CASL regulations, including obtaining necessary consent for sending Commercial Electronic Messages ("CEM"), providing proper identification and contact information, and including an opt-out mechanism for recipients to unsubscribe from future communications.
Encore maintains records of consent and implements processes to manage and honor unsubscribe requests in a timely manner. Users should consult the Encore CASL Compliance Policy for detailed guidelines on CASL requirements and best practices for compliance.
4.5 Strong Passwords
To enhance the security of Encore email accounts, users must adhere to the strong password requirements outlined in the Encore Password Policy. Strong passwords must be unique, complex, and changed periodically. Users must avoid using easily guessable information, such as personal names, dates, or dictionary words, as part of their passwords. Additionally, users must not share their passwords with others or store them in easily accessible locations.
4.6 Monitoring Email Traffic for Suspicious Activity
Encore implements email traffic monitoring mechanisms to detect and analyze suspicious or unauthorized activities within the email system. This monitoring helps identify potential security incidents, such as unauthorized access attempts, malware distribution, or data exfiltration. IT Management regularly reviews and analyzes email traffic logs to promptly identify and respond to any abnormal or malicious activities. Users are required to cooperate with IT Management and report any suspicious email-related incidents or activities they observe.
4.7 Incident Management
Encore maintains an incident management process to handle security incidents related to email systems. In the event of a suspected or confirmed security incident, users must promptly report it to IT Management through the creation of a ticket to the IT Help Desk. The incident management process includes procedures for incident identification, containment, investigation, and resolution. It ensures that security incidents are appropriately addressed, mitigated, and documented in compliance with SOC 2 requirements.
IT Management will coordinate incident response efforts, including engaging relevant stakeholders, conducting forensic investigations when necessary, and implementing necessary remediation actions. Users are expected to fully cooperate with the incident management process, provide relevant information, and follow instructions from IT Management to contain and resolve security incidents effectively.
This process is more comprehensively defined in the Incident Management Policy and Procedure.
5.0 Policy Compliance
5.1 Compliance Measurement
The Information Security Office will assess compliance with this policy through various methods, including conducting regular phishing tests (as outlined in Section 4.3 of this policy), risk assessments, annual employee training and policy attestation, internal and external audits, and feedback to the policy owner.
5.2 Exceptions
Any exceptions to this policy must be approved in advance by IT Management.
5.3 Non-Compliance
Employees found to have violated this policy may face disciplinary action, including but not limited to, termination of employment.
6.1 Data Protection Policy
This email policy aligns with the requirements outlined in the Encore Data Protection Policy, which governs the handling, storage, and transmission of sensitive information within Encore's network.
6.2 Incident Management Policy
Encore maintains an Incident Management Policy that outlines the steps to be taken in the event of a security incident or breach involving email systems. This plan ensures timely detection, response, mitigation of any potential risks or vulnerabilities (as outlined in Section 4.7), reporting, investigation, and resolution of any suspected or confirmed security incidents.
6.3 Access Control Policy
The Encore Access Control Policy defines the procedures and controls in place to regulate access to email systems and ensure that only authorized individuals can access, modify, or transmit sensitive information via email.
6.4 Security Awareness Training
Encore provides annual security awareness training and policy attestation to all Encore employees. This training educates individuals on the risks associated with email usage, emphasizes best practices for maintaining email security and Phishing Awareness (as outlined in Section 4.3 and 5.1 of this policy).
6.5 Change Management Policy
Encore follows a formal change management policy to ensure that any changes to email systems, configurations, or policies are properly assessed, approved, tested, and documented. This process minimizes the risk of unauthorized or unintended changes that could compromise the security and integrity of the email environment.
6.6 System Monitoring and Logging
Encore implements robust system monitoring and logging mechanisms to capture and analyze email system activities. This allows for the timely identification of suspicious or unauthorized activities and facilitates compliance monitoring and incident response.
7.0 Policy Review
This email policy will be reviewed at least annually, or whenever there are significant changes to the technology landscape, regulatory requirements, or business operations that impact the use of email systems. The review process ensures that the policy remains up to date, effective, and compliant with SOC 2 requirements.
8.0 Policy Ownership and Enforcement
IT Management is responsible for the ownership, enforcement, and administration of this email policy. Any questions, concerns, or requests for clarification regarding this policy should be directed to IT Management.
All individuals covered by this policy are required to acknowledge their understanding and compliance with the policy upon initial access to Encore email systems, and annually thereafter as deemed necessary by IT Management.
9.0 Definitions
“Canadian Anti-Spam Legislation” (CASL) – is the regulatory body which regulates all commercial electronic messages and describes the legal requirements for distributing them.
“Commercial Electronic Message” (CEM) – means any message sent to an electronic address with an intent to encourage the recipient to participate in commercial activity.
“Employee” – means all salaried and hourly paid Employees including the Steering Committee, Contractors, Consultants, Temporaries, Interns, Agents and other workers at Voyages Encore Travel Inc., including all personnel affiliated with third parties. Can be referred to by the pronoun ‘their’, ‘they’ or ‘them’.
"Encore" – for the purpose of this policy, refers to Voyages Encore Travel Inc. and Encore Travel Americas.
“IT Management” – for the purposes of this Policy, means the Chief Technology Officer; Head of Data, Security and Technology; and Manager of IT Security and Infrastructure.
“Personally Identifiable Information” (PII) – means information that, when used alone or with other relevant data, can identify an individual.
“Phishing” – means a form of social engineering where attackers deceive people into revealing sensitive information or installing malware such as ransomware.
“Spam” – means unwanted, unsolicited digital communication that is sent out in bulk. Spam is typically sent via email.
“Steering Committee” – means the Chief Executive Officer; Chief Technology Officer; Head of Data, Security and Technology; Head of Human Resources; Head of Product; Head of Customer Experience; Financial Controller; Head of Strategic Partnerships; Head of Sales and Marketing; and Head of Travel Technology.
“Their”, “They” or “Them” – means the person or entity previously referred to.
“Users” – means employees, consultants, contractors, agents, and authorized users accessing Voyages Encore Travel Inc. IT systems and applications.
All rights reserved to Voyages Encore Travel Inc. | Confidential Document | Agency purposes ONLY