AWRostamani Group Group Information Technology … AWRGIT... for all email users. 8.4.2. Request for email accounts are facilitated though

AWRostamani Group

Group Information Technology

Email Security Policy

Project: IT Policy

Authors: Eswar Babu S and Yassin

Published Date: 8 August 2016

Last Updated: 17 September 2017

Control Ref: AWR/GIT/ISMS/POL/ES/1.4

AWR GIT Email Security Policy

Internal Page [2 of 15]

September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4

Document Control

Change record

Date Author Version Change Reference

11 June 2007 Eswar Babu S and

Yassin 1.0 No previous version

9 May 2016 Rushda Anwar 1.1 Added policy 8.4.8,8. 4.17.9

8 August 2016 Deepti Nair 1.2 Added Terms and Definitions

21 August 2016 Binoy Balakrishnan 1.3 Format Changes

6 July 2017 Raveendran Gopu 1.3 Review done, no change

17 September 2017 Raveendran Gopu 1.4 Clauses Changed 8.4.12, 8.4.13,

8.4.14, 8.4.16, 8.4.17

Note: The version number consists of two distinct digits. The leading digit reflects the

number of version reviewed by GIT with the recipient. This digit is only updated

after review by the recipient. The decimal digit reflects the internal documents

reviews done by the GIT resources prior to sending the document to the recipient.

The decimal digit is intended for internal use only.

Reviewers

Name Department Designation

Sebastian T Samuel Group IT Chief Information Officer

Binoy Balakrishnan Group IT IT Security Manager

Eswar Babu Group IT Operations Manager

Deepti Nair Group Internal Audit Team Lead

Distribution

Copy

No. Name Location

1 Lydia Pinto Hard Copy – Physical Storage




Note to Holders:

If you receive an electronic copy of this document and print it out, please write your name on

the equivalent of the cover page, for document control purposes. If you receive a hard copy

of this document, please write your name on the front cover, for document control purposes.




Contents 8.1 Introduction ......................................................................................................................... 5

8.2 Purpose and Scope .............................................................................................................. 5

8.3 Responsibility ..................................................................................................................... 5

8.4 Policy .................................................................................................................................. 6

8.5 Policy Compliance, Enforcement and Violations ............................................................. 11

8.5.1 Compliance Measurement................................................................................. 11

8.5.2 Non-Compliance ............................................................................................... 11

8.6 Exclusions ......................................................................................................................... 11

8.7 References ....................................................................................................................... 111

8.8 Appendix ........................................................................................................................... 12

8.8.1 RACI Matrix ..................................................................................................... 12

8.8.2 Mapping with ISO/IEC 27001:2013 ................................................................. 12

8.8.3 Terms and Definitions ....................................................................................... 13




8.1. Introduction

Electronic email is the standard way of communication and awareness method within an

organization. At the same time, misuse of email can post many legal, privacy and security

risks, thus it’s important for users to understand the appropriate use of electronic

communications.

AWRostamani encourages the use email and web services, to facilitate communication

among internal users and with the external community.

8.2. Purpose and Scope

The purpose of this policy is to define guidelines and controls to minimize the risks of misuse

associated with AWR corporate email services.

This policy applies to all AWR employees, contractors, guests, trainees and third party

personnel (consultants, temporary employees, business partners, trading partners, and other

users) that use AWR corporate email services.

8.3. Responsibility

Role Responsibility

ISSC

(Information Security

Steering Committee)

Responsible for compliance to ISO 27001:2013 within their

area of concern.

IT Security Manager Responsible for development, maintenance, enforcement and

endorsement of ISMS Policies and Procedure.

All changes to the policy shall be made only upon approval

from the Security Manager

AWR Employees Responsible for reading, understanding and adhering to ISMS

policies and procedures in their day to day activities.




8.4. Policy

8.4.1. The standard email convention approved by management would be

<[email protected]> for all email users.

8.4.2. Request for email accounts are facilitated though online Incident Management system

deployment “IMS” and in cases where this is not applicable through a standard email

communication to GIT Management is acceptable.

8.4.3. All email accounts maintained on AW Rostamani email systems are property of AW

Rostamani.

8.4.4. Passwords should not be given to other people and should be changed as per the

domain policy or at regular intervals.

8.4.5. It is strictly forbidden to use AW Rostamani email system for anything other than

legitimate business purposes. All messages distributed via the company’s email

system are AWRostamani property.

8.4.6. Web access of email from untrusted public computers such as public internet café,

public wireless access services or any untrusted computers is not recommended.

However, in case of such access, users shall never save user ID and password on the

computers while accessing the emails.

8.4.7. Users shall exercise reasonable judgment while opening emails from unknown

sources. Users shall not click links or download and open attachments from unknown

or untrusted sources. All email attachments, regardless of the source or content, shall

be auto scanned for viruses and other destructive programs before being opened or

stored on any AWR computer system. All malicious emails and attachments shall be

deleted permanently.

8.4.8. While forwarding emails outside AWR email system, users shall exercise care to

remove AWR users email addresses from the email as it can be used as a source to

send spam emails.

8.4.9. Users of the corporate email should not:

8.4.9.1. Send or forward emails containing defamatory, offensive, racist or obscene

remarks. If a user receives an email of this nature, he or she must promptly

notify their supervisor.

8.4.9.2. Spam by exploiting auto-distribution lists or similar systems for the

widespread distribution of e-mail.

8.4.9.3. Send propaganda, unethical or hate literature.

8.4.9.4. Send defamatory, fraudulent or harassing messages.

8.4.9.5. Forward a message without acquiring permission from the sender first.

8.4.9.6. Send unsolicited email messages.

mailto:[email protected]




8.4.9.7. Use personal email accounts for official communication unless accessibility

to corporate email system is restricted or unavailable for duration of more

than 2 days. Use of personal email account is subjected to written clearance

from CEOs, vice-chairman and Directors. Necessary approval shall be

communicated to GIT prior to use of the personal account.

8.4.9.8. Forge or attempt to forge email messages.

8.4.9.9. Disguise or attempt to disguise your identity when sending mail.

8.4.9.10. Send email messages using another person’s email account.

8.4.9.11. Copy a message or attachment belonging to another user without permission

of the originator.

8.4.9.12. Send personal emails, chain letters, junk mail, jokes and executables.

8.4.9.13. Send bulk email messages or campaigns without explicit approval from

GIT.

8.4.9.14. Provide corporate email IDs in public domains or on the internet which has

the potential to increase junk emails, email spams etc. Users shall not use

their corporate email IDs while creating their personal internet profiles.

8.4.10. E-mail messages are not encrypted by default, and users should exercise caution by

not embedding system or application passwords in their e-mail messages.

8.4.11. Any statements or comments made via email shall bear a disclaimer. The contents of

the disclaimer shall be:

“This message, together with any attachments, may contain confidential information

which is intended only for disclosure to and use by certain identified persons. If you

are not the intended recipient, please inform the sender immediately and delete this

email. You should not copy this email or use it for any purpose nor disclose its

contents to any other person. Thank you.”

8.4.12. E-mail storage quota and attachments size will be controlled as per mailbox

characteristics specified in the following table:

Mailbox Type Mailbox Size

(MB)

Attachment

Size (internal

mails)

Attachment

Size

(external

mails)

Managers(On

premises) 500 5MB 5 MB

Users (On

premises) 300 5MB 15 MB

Critical Users

(On premises)

2000 10 MB 15 MB

Office 365

Users

10000 35 MB 35 MB




8.4.13. The Global maximum attachment size allowed for On Premise users for send and

receive externally is limited to 15 MB only; for Office 365 users for send and receive

externally is limited to 35 MB only.

8.4.14. Critical Business user’s using On Premise mailbox communication will be allowed up

to 20 MB limit on individual basis.

8.4.15. Following are the guidelines for sending attachments:

8.4.15.1. Sending personal attachments is restricted.

8.4.15.2. Sharing video files which consume high bandwidth causing business

interruptions should be avoided.

8.4.15.3. Only business related attachments should be sent through compressed form

to limit bandwidth utilization.

8.4.15.4. Attachment files that are vulnerable to virus infection will be filtered at the

external e-mail gateway for incoming/outgoing emails. A list of

attachments filtered is given in the mailbox characteristics specified in Mail

Box policy.

8.4.16. Email accounts will be disabled immediately on staff leaving the company and

deleted within 90 days. In case the email account needs to be active on staff exiting

the company, this will be accepted upon receiving request from the department head.

Accounts will be made active for duration of 30 days and any further extension will

require respective Department Head approval.

8.4.17. Email forwarding will be made available for period of 4 weeks, can be extended upon

request from respective Department Head once the employee leaves the company.

8.4.18. Users should under no circumstance enable the “save password” check box when

accessing Outlook Web Access from a public internet environment.




8.4.19. Following are the guidelines for email monitoring:

8.4.19.1. Users expressly waive any right of privacy in anything they create, store,

send or receive on the company’s computer system. AW Rostamani can, but

is not obliged to, monitor emails without prior notification. If there is

evidence that a user is not adhering to the guidelines set out in this policy,

AW Rostamani reserves the right to take disciplinary action.

8.4.19.2. E-mail messages are scanned for viruses on the internal and external e-mail

servers. In the event of any detection of viruses, the e-mail message will be

deleted from the system and an auto-generated warning message will inform

the recipient or sender of the detected virus along with the action taken;

8.4.19.3. Attachment files that are vulnerable to virus infection will be filtered at the

external e-mail gateway for incoming/outgoing emails. A list of

attachments filtered is given in the mailbox characteristics specified in Mail

Box policy.

8.4.19.4. No bulk campaigns should be undertaken by the users in sending mass

email communication or attachments’ to the external users. In special cases

this is permitted with prior permission to be taken from GIT.

8.4.19.5. Misuse of email communication by users in sending personal email

attachments will result in withdrawal of email communication facility.

8.4.19.6. Below mentioned file extensions are not permitted through the system.

These types of files shall be removed from the messages and sender/receiver

shall be notified of their removal:

8.4.19.6.1. bas – BASIC program;

8.4.19.6.2. vbs – Visual Basic program;

8.4.19.6.3. vbe – Visual Basic related;

8.4.19.6.4. vba – Vbase File;

8.4.19.6.5. All executable files;

8.4.19.6.6. bat – Batch Processing (Microsoft);

8.4.19.6.7. All compressed files




8.4.20. The guidelines for email archiving are as follows:

8.4.20.1. Set to archive items that are older than 30 days and archive emails until

mailbox available storage reaches 10 %.

8.4.20.2. Daily archiving will be scheduled between from 2.00 am – 5.00 am on the

server mailbox.

8.4.20.3. Archived items will be moved from the primary storage location to

secondary storage location on annual basis after review of storage

utilization.

8.4.20.4. Primary folders like inbox, sent items, calendars and other user folders will

be archived.

8.4.20.5. Archived items will be backed on daily basis through centralized backup

system.

8.4.20.6. Non –critical common mailbox accounts will be excluded from the archival

system.

8.4.20.7. Archiving will consume more storage based on the number of items, hence

unwanted attachment and personal items are required to be cleaned up on

regular basis by the users.




8.5. Policy Compliance, Enforcement and Violations

8.5.1. Compliance Measurement

GIT will verify compliance to this policy through various methods, including but not limited

to periodic walk-throughs, video monitoring, business tool reports, internal and external

audits, and feedback to the policy owner.

8.5.2. Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to

and including termination of employment.

8.6. Exclusions

Any exclusion to the policy must be approved by GIT in advance.

8.7. References

8.7.1. Acceptable Use Policy

8.7.2. ISO 27001:2013




8.8. Appendix

8.8.1. RACI Matrix

RACI diagram describes the participation by various roles in completing a task, project or

deliverable. RACI is an acronym derived from the four key responsibilities most typically

used in a process. These are:

Responsible Those who are responsible for the completion of a task, project, or

deliverable.

Accountable Those who are answerable for the correct, thorough and successful completion

of all work actions needed to achieve a task, project, or deliverable. Typically

there is only one role with a participation type of “Accountable.”

Consulted Those whose opinions are sought concerning an activity related to a task,

project or deliverable.

Informed Those who are kept up‐to‐date on the progress of a task, project, or

deliverable. Often, this is only done at the completion of a task, project, or

deliverable.

Group IT Business Units

CIO

Info

rmati

on

Sec

uri

ty

IT O

per

ati

on

s

IT A

pp

lica

tion

s

Ser

vic

e D

esk

Gro

up

HR

AR

RE

Gro

up

Pro

cure

men

t

Gro

up

Au

dit

Dep

art

men

t

Gro

up

Leg

al

Dep

art

men

t

AW

R

Em

plo

yee

s

R/C/I R A/R R R R/I R/I R/I R/C/I R/I R/I

8.8.2. Mapping with ISO/IEC 27001:2013

ISO/IEC27001:2013 Control No. & Details ISO/IEC27001:2013

Section

A.13.2.3 Electronic

Messaging

Information involved in electronic

messaging shall be appropriately

protected.

A13 Communications

Security




8.8.3. Terms and Definitions

Term Definition

Access control Ways to ensure that access to assets is permitted and restricted based on

work and safety requirements;

Antivirus

Definition/

signature

Antivirus definitions are the definitions of the known viruses based on

which the antivirus software identifies presence of a virus.

Antivirus Software Antivirus or anti-virus software is software used to prevent, detect and

remove malware, such as: computer viruses.

Assets Anything that has value to the organization (information, software, the

computer itself, services, people, etc.);

Authentication Provide assurance that one characteristic claimed by an entity is correct

Availability The property of being accessible and usable by an authorized entity;

BYOD Bring your own device (BYOD) refers to the policy of permitting

employees to bring personally owned mobile devices (laptops, tablets,

and smart phones) to their workplace, and to use those devices to access

privileged company information and applications.

CD/DVD Compact disc, or CD for short, is a digital optical disc data storage

format. DVD (short for digital versatile disc) is a digital optical disc

storage format.

Chain Email An email sent to a number of people asking each recipient to send copies

with the same request to a specified number of others. The circulation of

a chain letter increases in geometrical progression as long as the

instructions are followed by all recipients.

Confidentiality Property that ensures that the information is not available or disclosed to

unauthorized individuals, entities or processes;

Corrective action Action to eliminate the cause of a detected nonconformity or other

undesirable situation;

Digital Signature Set of encrypted data associated with a document that guarantee its

integrity and authenticity.

Disaster Recovery Emergency plans to ensure the preservation of documents and own

physical integrity of the employees of an organization in case of

occurrence of natural disasters

Freeware Freeware (portmanteau of “free” and “software”) is software that is

available for use at no monetary cost, but with one or more restricted

usage rights such as source code being withheld or redistribution

prohibited.

Impact A measure of the effect of an incident, problem or change on Business

Processes. Impact is often based on how service levels will be affected.

Impact and urgency are used to assign priority.

Incident Incident is an undesirable event which may cause a temporary or

permanent disruption to the business.

Information Asset

Custodian

Asset Custodian is an individual or entity to whom routine tasks may be

delegated and who is looking after the asset on a daily basis




Information Asset

Owner

Asset Owner is an individual or entity that has management

responsibility for controlling the production, development, maintenance,

use & security of the asset

Information

Security

Preservation of confidentiality, integrity and information availability;

Information

Security

Management

System

Information Security Management System (ISMS) is a set of policies,

procedure and guidelines so established to ensure the plan, implement,

monitor, measure, and review and continually improve the effectiveness

and efficiency of ISO 27001 standard.

Information

Security Steering

Committee (ISSC)

ISSC is the management body which provides the overall direction for

the execution of the Information Security program within AWR

Information System Information system is a user computing system which is used to carry out

operations with more speed and accuracy. Such as desktop PC or laptop.

Integrity The correctness to protect property assets;

Internet Gateway Internet gateway is a router used to forward packets to the Internet and

receive packets from the Internet.

Internet Services Any services provided by AWR GIT based on World Wide Web (www)

such as surfing.

Intrusion Detection Alert the administrators to potential intruders from entering the systems.

These systems attempt to recognize a behavior / action intrusive.

IP Address The Internet Protocol (IP) is the principal communications protocol in the

Internet protocol suite for relaying datagrams across network boundaries.

Its routing function enables internetworking, and essentially establishes

the Internet.

ISO 27001 Global standards for information Security Management System.

ISP An Internet service provider (ISP) is an organization that provides

services for accessing, using, or participating in the Internet. Internet

service providers may be organized in various forms, such as

commercial, community-owned, non-profit, or otherwise privately

owned.

Junk Mail/Spam Any unsolicited mail such as advertisement, promotion etc., which may

flood the inbox.

KEDB Known Error Database is a part of the problem management module

which lists known errors and workaround for incidents.

Malware/malicious

program

Malware, short for malicious software, is software used to disrupt

computer operation, gather sensitive information, or gain access to

private computer systems It can appear in the form of code, scripts,

active content, and other software.

Memory Card A memory card or flash card is an electronic flash memory data storage

device used for storing digital information. They are commonly used in

many electronic devices, including digital cameras, mobile phones,

laptop computers, MP3 players and video game consoles.

Network Gateway Network Gateway is a router or a proxy server that routes between

networks




Network Printer A network printer is a printer that is connected to a computer network

and can be accessed from many different computers.

Operating System An operating system (OS) is a collection of software that manages

computer hardware resources and provides common services for

computer programs.

On Premises User A user whose email mailbox is configured in the on premises

environment within the organization

PC A personal computer (PC) is a general-purpose computer used for

processing, storing or transmitting the information.

Remote Access Remote access is a connection to information processing facility (such as

user system, database, network device etc.) from a remote location

through the means of tools.

Removable Storage

Device/Media

Media those are designed to be read to or written to by removable

readers, writers and drives. Such as pen drives etc.

Responsibility Responsibility to an entity for their actions and decisions;

Risk Combination of the probability of an event and its consequences;

Risk analysis The systematic use of information to identify sources and to estimate the

occurrence of a risk.

Risk management Coordinated activities to direct and control an organization in relation to

a particular risk;

Tablet PC A tablet PC, or simply tablet, is a mobile computer with display, circuitry

and battery in a single unit. Tablets are equipped with sensors, including

cameras, microphone, accelerometer and touchscreen, with finger or

stylus gestures replacing computer mouse and keyboard.

Threat A potential cause of an undesired event, which may result in damage to a

system or entity;

Trojan Horse A Trojan is non-self-replicating malware that appears to perform a

desirable function for the user but instead facilitates unauthorized access

to the user's computer system.

USB Universal Serial Bus (USB) is an industry standard that defines the

cables, connectors and communications protocols used in a bus for

connection, communication, and power supply between computers and

electronic devices.

User A person who uses the GIT Service on a day to- day basis.

Virus A computer virus is a computer program that can copy itself and infect a

computer.

Vulnerability Weakness or control of an asset, which can be exploited by threat.

Worm A computer worm is a self-replicating computer program. It uses a

computer network to send copies of itself to other nodes (computers on

the network) and it may do so without any user intervention.

Documents

AWRostamani Group Group Information Technology … AWRGIT... for all email users. 8.4.2. Request for email accounts are facilitated though