Electronic Messaging Services 89116 AMS 12.10 April, 2013 I. Policy   Policy Rationale   1.          The purpose of this policy is to provide staff guidelines and the rationale for the current Electronic Messaging structure. Scope and Constraints 2.         This policy pertains to the World Bank Group.   This policy may be revised from time to time as changes in technology necessitate. Statement of Policy 3.         The Electronic Messaging (Email) service is among the standard, centralized information technology services provided to staff globally by the Bank Group to conduct official business. 4.         Reasonable limits for access and parameters of use are set and enforced to safeguard the functionality and integrity of the Bank Group Email system. 5.         The Bank Group will ensure a reliable Email environment with high availability and sufficient storage to support the Bank Group’s business needs. Acceptable Use of Bank Group Email Resources 6.         The Email system is an institutional asset and the Bank Group has legal right of ownership to all documents in on-line and off-line storage media. Staff using the Bank Group’s information resources can have no expectation of privacy from the Bank Group’s overriding interests. It is the responsibility of the Bank Group to set and enforce reasonable access limits and parameters of use to safeguard the functionality and integrity of the Bank Group Email system. It is the responsibility of all Bank Group staff to follow institutional directives clarified in the security policy, to prevent destruction, theft, misuse, or loss of integrity of the information stored within the Email system, and to prevent unauthorized access or misuse of the Email system. 7.         The Bank Group Email system is not the official record keeping system. The Bank Group policy on electronic records keeping is captured in Administrative Manual Statement (AMS) 10.11, “Management of Records.” Using Email for Personal Purposes 8.         The Bank Group’s Email is to be used for business purposes.  While personal electronic mail is permitted, it is to be kept to a minimum. Use of Email to Send Confidential Information 9.         To prevent theft, misuse or loss of integrity of sensitive information, users will not send Confidential or Strictly Confidential information via email without encryption using approved and Bank Group standard encryption methodology. Users will not forward Email containing proprietary institutional financial information, or materials deemed sensitive by the institution or government clients unless the recipient is authorized to view it by management and the owner/originator of the information. (Refer to  AMS 10.11, "Management of Records, "for information on security classification levels.) Sending Defamatory, Derogatory, Obscene, or Harassing Email 10.       The display or transmission of sexually-explicit images, messages or cartoons, or any transmission that contains ethnic slurs, racial epithets, or anything that may be construed as harassment or disparagement of others is not permitted on the Bank Group Email system. Using the Email System for Spamming 11.       No one may solicit, promote or advertise any organization, product or service through the use of the Bank Group Email at any time. 12.       The Bank Group reserves the right to review electronic messages sent by staff to Internet discussion groups, electronic bulletin boards or other public forums and to remove any determined to be inconsistent with World Bank Group interests or policy. Use of the Email System to Carry out Inappropriate Activities 13.      Use of the Bank Group Email system to carry out or promote activities that are prohibited under any of the Bank Staff Rules contained in the Staff Manual or policies in the Administrative Manual is not permitted. Loss or Destruction of Institutional Integrity Using Email 14.       Use of the Bank Group Email system to compromise institutional integrity by transmitting copyrighted material, including unlicensed or pirated computer programs, or to knowingly transmit viruses, worms or other means of destroying institutional information is not permitted. Automatic Copying and Forwarding of Bank Group Email 15.       To ensure the security and maintain reasonable functionality of the Bank Group Email system, incoming documents from a Bank Group Email account may not be automatically forwarded to external organizations or to accounts on external Email systems. Sending and Receiving Large Attachments 16.       Staff should refrain from sending mail messages with large multimedia attachments. Staff should not send nonbusiness communications to large Notes mail groups inside or outside the Bank Group. The World Bank Group reserves the right to reject or delay sending any messages with attachments large enough to cause mail delivery delays. 17.       To protect the Email environment from external viruses and ensure reasonable security, email messages will be scanned for viruses prior to delivery to the user mail file. The Bank Group reserves the right to quarantine some incoming Email attachments and may limit the release of those not pertaining to Bank business. Use of Email System for Archive and Retrieval of Documents 18.       The Email service is not retained for the purpose of long term archiving and retrieval of Bank Group documents. Email messages that are Bank records should be stored in the appropriate record keeping system, e.g., Integrated Records and Information Services (IRIS) or iDOCs. It is the responsibility of staff to send official correspondence to official records as detailed in AMS 10.11, "Management of Records." Perceived Deletion of Email Documents 19.       Staff should be aware that the deletion feature in any electronic system is designed for storage management and not for the elimination of records and documents. At any given time, backup copies of deleted documents may exist in user mail files on daily, monthly or biannual backup tapes. Size Limits on Personal Mail Files 20.       The Email resources provided to Bank Group staff shall include one primary, personal "mailbox" file on a centrally managed infrastructure in which to receive and store incoming mail and to create and send outgoing mail. Each user will be allocated a reasonable amount of disk space in which to create, store and receive Email messages. It is the responsibility of the user to maintain personal mailbox size within the defined quota. 21.       Exemptions from the disk quota must be cleared by the Chief Information Officer. Passwords for User Email Account 22.       The password feature of the Bank Group Email system is the foundation for maintaining the confidentiality of the institution's communication system. Passwords to access personal or service Email accounts may not be shared with colleagues or disseminated to the public and must be treated as confidential information by the user. Email account passwords must comply with the Bank policy on passwords and their expiry as specified in the Bank Group's information security policy, AMS 6.20, "Information Security Program." Access and Limits to Access to Bank Email System 23.       Staff will be provided access to an Electronic Messaging account as part of a series of standard operational tools defined as baseline necessities to carry out the Bank Group’s core business.   Accounts shall be available to all staff globally. Email Access for Contractors and Temporary Employees 24.       Access to the Bank Group Email system may be granted to contractors or agency temps in order to carry out an individual Bank work program. The relevant line manager has the authority to make the decision to request the account and takes full responsibility for the account and any misuse of it. Retention of Account in case of Temporary Absence from the Bank Group 25.       Staff may retain access to Bank Group Email in cases of temporary absence from the Bank, when it has been authorized by the sponsoring unit and Information Solutions Group (ISG) or Corporate Business Informatics (CBI) management, as appropriate, and where it does not create any conflict of interest. Provision of Service Accounts for Business Use by a Group 26.       Service accounts may be provided to a Bank Group functional entity based on clear business justification. Business justifications include cross-unit projects or programs, requiring email to be sent and received in one location or provision of ongoing services which require anonymity of individual service providers. Service accounts must be named in accordance with ISG or CBI naming conventions, as appropriate.   Additional password security will be required for service account.   Service accounts must be authorized by ISG or CBI, as appropriate, and sponsored by a Bank Group entity that agrees to take full responsibility for the account and any misuse of it. Revocation of Access to Bank Group Email Account 27.       Staff members who terminate employment or contract with the Bank Group for any reason including retirement, may no longer access the Bank information or network systems – this includes Bank Group Email accounts and all off-line media will be retained by the Bank. 28.       The Bank Group reserves the right to revoke access to the account at any time if it can be shown that any staff, employee or contractor, has abused access privileges or compromised the integrity of Bank information. 29.        Extension of email accounts for staff without a current World Bank Group contract in place is not allowed. Staff transitioning from one appointment type to another and contractors whose contract period is extended, may be provided a grace period of 15 days for email account extension based on the manager’s documented intention to hire. 30.        Staff departing the institution and requiring a transition period, may be provided with a read only access to the last archive and current primary copy of their emails for period of 60 days with a business justification and approval by staff’s Vice President. Departing Presidents, EDs, Alternate and VP’s may be provided a read only access to the last archive and current primary copy of their emails for a period of 60 days per policy. A service fee will be charged to the staff’s VPU for issuing an archive CD. 31.        Staff involved in appeal cases, may be provided a read only access to the last archive and current primary copy of their emails until the case is open. 32.        Staff that are on administrative leave and leave without pay could be granted an extension of their email account until the period during which admin leave is granted based on a business justification and approval by staff members Vice President.  Consequences of Noncompliance with Email Policies 33.       Violations of any of these provisions may result in discipline up to and including termination as described in Staff Rule 8.01, "Disciplinary Measures." Responsibilities 34.       IMT and CBT jointly are responsible for issuing and updating these policies as requirements dictate, monitoring compliance, providing interpretation where appropriate, and maintaining the highest standards of Email usage in accordance with current Bank needs, in coordination with the Chief Information Officers, vice-presidential units, and information technology representatives throughout the Bank Group. Directive References 35.       Additional information may be found in the following: (a) AMS 6.20, "Information Security Program" (b) AMS 10.11, "Management of Records" (c) Staff Rule 8.01, "Disciplinary Measures" (d) Staff Rule 1.01, "General Provisions" for definition of "manager"  e) AMS 1.30, " Authority to Sign Written Instrument:  Bank and Association" Dates Issuance and Revision 36.       This policy was revised in March 2013 and supersedes the policies earlier published. II. Procedures Statement of Procedures The Statement of Procedures applies to all WBG staff unless noted otherwise. 1.       The current standard application for Electronic Messaging services is Lotus Notes Mail. Acknowledgement of Email Policies 2.       Each staff who receives an Email account will be required to read and sign electronically a copy of the current Email policy. The signature will be taken as an acknowledgement that staff understand and will abide by the policies defined in the document. How to Request a Lotus Notes Account 3.       Access to an Email account for Bank staff may be requested at http://eservicesnew.worldbank.org/menu/eServiceNew_TechnologyServices.html    IFC staff may request an email account by sending an email to IFC-ID. Lotus Notes Administration 4.       For Bank staff, the Accounts Provisioning  team will create user IDs, mail accounts and perform all other necessary tasks upon request via the eservices portal.    For IFC clients, the Access Control team in CBT will manage user ID creation, mail accounts and perform all other necessary tasks by sending an email request to IFC-ID. 5.       Notes accounts will be disabled within 24 hours of the date of staff termination at the Bank Group according to HR records. Email Storage and Archiving 6.       Email is viewed as a mission-critical application by Bank Group staff and business units. Therefore, the Bank will provide a reliable email environment through use of a high-availability data storage solution. Email Backup 7.       The Email system is backed up nightly to ensure a reliable data retention environment and disaster recovery of the Email system.   Daily backups are retained for six months, monthly backups are retained off-site for a period of two years for Mail servers  in HQ. CO Backups are specific to each CO.  Email backup tapes for the IFC are kept indefinitely Email Storage 8.       The current Email storage solution is Lotus Notes Archiving. The Lotus Notes Archiving service was introduced at the World Bank to address the need to contain costs associated with the management of electronic mail storage on network servers. Less active mail files are "archived" on-line to low-cost, industry-standard disk storage. The service, which is now fully operational on all Headquarter (HQ) and Country Office Lotus Notes servers, affects mail databases larger than 2 GB for all Bank Group staff in COs and HQ. Upon reaching this threshold, older mail is moved from your primary mail storage area to the archive area. Users receive a notification that archiving has taken place. Users can still access all of their mail, by clicking the "Server Archive" View in their mail database.  Email Archiving Services 9.       Archiving policies for Bank and IFC staff are different: For Bank staff, once the primary mail database reaches 2 GB, older email is archived and made available via Server Archives. The size limit for archives in the Server Archive folder is 4 GB. Mail files under 2 GB  are not affected.  For IFC staff, the quota for the primary and archive database is 2GB each. Once the primary mail database reaches 2 GB, staff have to take action on their mail file for email archiving to kick in. 10.       Bank staff may contact the IMT Online Helpdesk, at http://x32121 to get status on their mail archive CD .  For IFC, Headquarters staff may contact the Helpdesk (x23000) to get status on your mail archive CD; Country Office staff should contact the local IT support person. Sending Email Attachments 11.       To prevent delays in service  following email message/ attachment limits apply for Bank and IFC: ·         For Bank staff, there is a 20MB size limit for messages sent outside the Bank's network. ·         For Bank staff, messages between 5 MB and 10 MB may not be delivered during HQ business hours and are delivered after the Bank's business hours.  ·         For Bank staff, there is a 100MB limit on the attachments for emails transferred within the Bank at HQ ·         For IFC staff, there is a 20MB size limit for messages sent within HQ, COs and outside the Bank network. III. Good Practices Statement of Good Practices Guidelines for Responsible, Space Efficient Email Use 12.       As the value of the more advanced features of Notes become evident to more and more staff, our current trend analysis shows that the load on our Notes storage capacity could drive up costs very rapidly as the Bank has to purchase more disk space. 13.       To ensure that this added usage and these added costs will represent added value to the business rather than a lack of simple email housekeeping, we encourage all staff to become familiar with best practices for email database "housekeeping".   These best practices can be found at IMT Online Helpdesk, at http://x32121. Guidelines for Creating Email Messages and Appropriate Email Distribution 14.       Be cognizant of the extent to which the Bank's system resources--disk space and bandwidth --are spent when an email is sent to a large distribution list. In addition, consider the information overload and cost to the recipients of unnecessary email messages. Refer to other Best Practices guidelines, which can be found at the IMT Online Helpdesk, at http://x32121. Definitions 15.       The following terms are used in this Statement: (a) Staff:   As used herein includes employees holding appointments under Staff Rule 4.01, “Appointment.” (b) Authorized Contractor:   As used herein to define any contractor who has been authorized by Bank hiring line manager to have access to Bank information resources. (c) Bank:   As used herein refers to The World Bank. (d) Electronic Messaging:   As used herein refers to an electronic communication resource intended to foster communication between staff, including clients and partners, over different time zones and geographic areas. Other uses for Bank Email services include document sharing, electronic collaboration, groupware, calendaring and scheduling. (e) Attachments:   As used herein refer to a non-Lotus Notes document or file attached to a Lotus Notes email message for distribution through the Bank email system or through the Internet. (f) Disk Quota: As used herein refers to the amount of disk space allocated on network storage per standard mail database associated with a single Email account.