Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
AWRostamani Group
Group Information Technology
Email Security Policy
Project: IT Policy
Authors: Eswar Babu S and Yassin
Published Date: 8 August 2016
Last Updated: 17 September 2017
Control Ref: AWR/GIT/ISMS/POL/ES/1.4
AWR GIT Email Security Policy
Internal Page [2 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
Document Control
Change record
Date Author Version Change Reference
11 June 2007 Eswar Babu S and
Yassin 1.0 No previous version
9 May 2016 Rushda Anwar 1.1 Added policy 8.4.8,8. 4.17.9
8 August 2016 Deepti Nair 1.2 Added Terms and Definitions
21 August 2016 Binoy Balakrishnan 1.3 Format Changes
6 July 2017 Raveendran Gopu 1.3 Review done, no change
17 September 2017 Raveendran Gopu 1.4 Clauses Changed 8.4.12, 8.4.13,
8.4.14, 8.4.16, 8.4.17
Note: The version number consists of two distinct digits. The leading digit reflects the
number of version reviewed by GIT with the recipient. This digit is only updated
after review by the recipient. The decimal digit reflects the internal documents
reviews done by the GIT resources prior to sending the document to the recipient.
The decimal digit is intended for internal use only.
Reviewers
Name Department Designation
Sebastian T Samuel Group IT Chief Information Officer
Binoy Balakrishnan Group IT IT Security Manager
Eswar Babu Group IT Operations Manager
Deepti Nair Group Internal Audit Team Lead
Distribution
Copy
No. Name Location
1 Lydia Pinto Hard Copy – Physical Storage
AWR GIT Email Security Policy
Internal Page [3 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
Note to Holders:
If you receive an electronic copy of this document and print it out, please write your name on
the equivalent of the cover page, for document control purposes. If you receive a hard copy
of this document, please write your name on the front cover, for document control purposes.
AWR GIT Email Security Policy
Internal Page [4 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
Contents 8.1 Introduction ......................................................................................................................... 5
8.2 Purpose and Scope .............................................................................................................. 5
8.3 Responsibility ..................................................................................................................... 5
8.4 Policy .................................................................................................................................. 6
8.5 Policy Compliance, Enforcement and Violations ............................................................. 11
8.5.1 Compliance Measurement................................................................................. 11
8.5.2 Non-Compliance ............................................................................................... 11
8.6 Exclusions ......................................................................................................................... 11
8.7 References ....................................................................................................................... 111
8.8 Appendix ........................................................................................................................... 12
8.8.1 RACI Matrix ..................................................................................................... 12
8.8.2 Mapping with ISO/IEC 27001:2013 ................................................................. 12
8.8.3 Terms and Definitions ....................................................................................... 13
AWR GIT Email Security Policy
Internal Page [5 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.1. Introduction
Electronic email is the standard way of communication and awareness method within an
organization. At the same time, misuse of email can post many legal, privacy and security
risks, thus it’s important for users to understand the appropriate use of electronic
communications.
AWRostamani encourages the use email and web services, to facilitate communication
among internal users and with the external community.
8.2. Purpose and Scope
The purpose of this policy is to define guidelines and controls to minimize the risks of misuse
associated with AWR corporate email services.
This policy applies to all AWR employees, contractors, guests, trainees and third party
personnel (consultants, temporary employees, business partners, trading partners, and other
users) that use AWR corporate email services.
8.3. Responsibility
Role Responsibility
ISSC
(Information Security
Steering Committee)
Responsible for compliance to ISO 27001:2013 within their
area of concern.
IT Security Manager Responsible for development, maintenance, enforcement and
endorsement of ISMS Policies and Procedure.
All changes to the policy shall be made only upon approval
from the Security Manager
AWR Employees Responsible for reading, understanding and adhering to ISMS
policies and procedures in their day to day activities.
AWR GIT Email Security Policy
Internal Page [6 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.4. Policy
8.4.1. The standard email convention approved by management would be
<[email protected]> for all email users.
8.4.2. Request for email accounts are facilitated though online Incident Management system
deployment “IMS” and in cases where this is not applicable through a standard email
communication to GIT Management is acceptable.
8.4.3. All email accounts maintained on AW Rostamani email systems are property of AW
Rostamani.
8.4.4. Passwords should not be given to other people and should be changed as per the
domain policy or at regular intervals.
8.4.5. It is strictly forbidden to use AW Rostamani email system for anything other than
legitimate business purposes. All messages distributed via the company’s email
system are AWRostamani property.
8.4.6. Web access of email from untrusted public computers such as public internet café,
public wireless access services or any untrusted computers is not recommended.
However, in case of such access, users shall never save user ID and password on the
computers while accessing the emails.
8.4.7. Users shall exercise reasonable judgment while opening emails from unknown
sources. Users shall not click links or download and open attachments from unknown
or untrusted sources. All email attachments, regardless of the source or content, shall
be auto scanned for viruses and other destructive programs before being opened or
stored on any AWR computer system. All malicious emails and attachments shall be
deleted permanently.
8.4.8. While forwarding emails outside AWR email system, users shall exercise care to
remove AWR users email addresses from the email as it can be used as a source to
send spam emails.
8.4.9. Users of the corporate email should not:
8.4.9.1. Send or forward emails containing defamatory, offensive, racist or obscene
remarks. If a user receives an email of this nature, he or she must promptly
notify their supervisor.
8.4.9.2. Spam by exploiting auto-distribution lists or similar systems for the
widespread distribution of e-mail.
8.4.9.3. Send propaganda, unethical or hate literature.
8.4.9.4. Send defamatory, fraudulent or harassing messages.
8.4.9.5. Forward a message without acquiring permission from the sender first.
8.4.9.6. Send unsolicited email messages.
AWR GIT Email Security Policy
Internal Page [7 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.4.9.7. Use personal email accounts for official communication unless accessibility
to corporate email system is restricted or unavailable for duration of more
than 2 days. Use of personal email account is subjected to written clearance
from CEOs, vice-chairman and Directors. Necessary approval shall be
communicated to GIT prior to use of the personal account.
8.4.9.8. Forge or attempt to forge email messages.
8.4.9.9. Disguise or attempt to disguise your identity when sending mail.
8.4.9.10. Send email messages using another person’s email account.
8.4.9.11. Copy a message or attachment belonging to another user without permission
of the originator.
8.4.9.12. Send personal emails, chain letters, junk mail, jokes and executables.
8.4.9.13. Send bulk email messages or campaigns without explicit approval from
GIT.
8.4.9.14. Provide corporate email IDs in public domains or on the internet which has
the potential to increase junk emails, email spams etc. Users shall not use
their corporate email IDs while creating their personal internet profiles.
8.4.10. E-mail messages are not encrypted by default, and users should exercise caution by
not embedding system or application passwords in their e-mail messages.
8.4.11. Any statements or comments made via email shall bear a disclaimer. The contents of
the disclaimer shall be:
“This message, together with any attachments, may contain confidential information
which is intended only for disclosure to and use by certain identified persons. If you
are not the intended recipient, please inform the sender immediately and delete this
email. You should not copy this email or use it for any purpose nor disclose its
contents to any other person. Thank you.”
8.4.12. E-mail storage quota and attachments size will be controlled as per mailbox
characteristics specified in the following table:
Mailbox Type Mailbox Size
(MB)
Attachment
Size (internal
mails)
Attachment
Size
(external
mails)
Managers(On
premises) 500 5MB 5 MB
Users (On
premises) 300 5MB 15 MB
Critical Users
(On premises)
2000 10 MB 15 MB
Office 365
Users
10000 35 MB 35 MB
AWR GIT Email Security Policy
Internal Page [8 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.4.13. The Global maximum attachment size allowed for On Premise users for send and
receive externally is limited to 15 MB only; for Office 365 users for send and receive
externally is limited to 35 MB only.
8.4.14. Critical Business user’s using On Premise mailbox communication will be allowed up
to 20 MB limit on individual basis.
8.4.15. Following are the guidelines for sending attachments:
8.4.15.1. Sending personal attachments is restricted.
8.4.15.2. Sharing video files which consume high bandwidth causing business
interruptions should be avoided.
8.4.15.3. Only business related attachments should be sent through compressed form
to limit bandwidth utilization.
8.4.15.4. Attachment files that are vulnerable to virus infection will be filtered at the
external e-mail gateway for incoming/outgoing emails. A list of
attachments filtered is given in the mailbox characteristics specified in Mail
Box policy.
8.4.16. Email accounts will be disabled immediately on staff leaving the company and
deleted within 90 days. In case the email account needs to be active on staff exiting
the company, this will be accepted upon receiving request from the department head.
Accounts will be made active for duration of 30 days and any further extension will
require respective Department Head approval.
8.4.17. Email forwarding will be made available for period of 4 weeks, can be extended upon
request from respective Department Head once the employee leaves the company.
8.4.18. Users should under no circumstance enable the “save password” check box when
accessing Outlook Web Access from a public internet environment.
AWR GIT Email Security Policy
Internal Page [9 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.4.19. Following are the guidelines for email monitoring:
8.4.19.1. Users expressly waive any right of privacy in anything they create, store,
send or receive on the company’s computer system. AW Rostamani can, but
is not obliged to, monitor emails without prior notification. If there is
evidence that a user is not adhering to the guidelines set out in this policy,
AW Rostamani reserves the right to take disciplinary action.
8.4.19.2. E-mail messages are scanned for viruses on the internal and external e-mail
servers. In the event of any detection of viruses, the e-mail message will be
deleted from the system and an auto-generated warning message will inform
the recipient or sender of the detected virus along with the action taken;
8.4.19.3. Attachment files that are vulnerable to virus infection will be filtered at the
external e-mail gateway for incoming/outgoing emails. A list of
attachments filtered is given in the mailbox characteristics specified in Mail
Box policy.
8.4.19.4. No bulk campaigns should be undertaken by the users in sending mass
email communication or attachments’ to the external users. In special cases
this is permitted with prior permission to be taken from GIT.
8.4.19.5. Misuse of email communication by users in sending personal email
attachments will result in withdrawal of email communication facility.
8.4.19.6. Below mentioned file extensions are not permitted through the system.
These types of files shall be removed from the messages and sender/receiver
shall be notified of their removal:
8.4.19.6.1. bas – BASIC program;
8.4.19.6.2. vbs – Visual Basic program;
8.4.19.6.3. vbe – Visual Basic related;
8.4.19.6.4. vba – Vbase File;
8.4.19.6.5. All executable files;
8.4.19.6.6. bat – Batch Processing (Microsoft);
8.4.19.6.7. All compressed files
AWR GIT Email Security Policy
Internal Page [10 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.4.20. The guidelines for email archiving are as follows:
8.4.20.1. Set to archive items that are older than 30 days and archive emails until
mailbox available storage reaches 10 %.
8.4.20.2. Daily archiving will be scheduled between from 2.00 am – 5.00 am on the
server mailbox.
8.4.20.3. Archived items will be moved from the primary storage location to
secondary storage location on annual basis after review of storage
utilization.
8.4.20.4. Primary folders like inbox, sent items, calendars and other user folders will
be archived.
8.4.20.5. Archived items will be backed on daily basis through centralized backup
system.
8.4.20.6. Non –critical common mailbox accounts will be excluded from the archival
system.
8.4.20.7. Archiving will consume more storage based on the number of items, hence
unwanted attachment and personal items are required to be cleaned up on
regular basis by the users.
AWR GIT Email Security Policy
Internal Page [11 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.5. Policy Compliance, Enforcement and Violations
8.5.1. Compliance Measurement
GIT will verify compliance to this policy through various methods, including but not limited
to periodic walk-throughs, video monitoring, business tool reports, internal and external
audits, and feedback to the policy owner.
8.5.2. Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to
and including termination of employment.
8.6. Exclusions
Any exclusion to the policy must be approved by GIT in advance.
8.7. References
8.7.1. Acceptable Use Policy
8.7.2. ISO 27001:2013
AWR GIT Email Security Policy
Internal Page [12 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.8. Appendix
8.8.1. RACI Matrix
RACI diagram describes the participation by various roles in completing a task, project or
deliverable. RACI is an acronym derived from the four key responsibilities most typically
used in a process. These are:
Responsible Those who are responsible for the completion of a task, project, or
deliverable.
Accountable Those who are answerable for the correct, thorough and successful completion
of all work actions needed to achieve a task, project, or deliverable. Typically
there is only one role with a participation type of “Accountable.”
Consulted Those whose opinions are sought concerning an activity related to a task,
project or deliverable.
Informed Those who are kept up‐to‐date on the progress of a task, project, or
deliverable. Often, this is only done at the completion of a task, project, or
deliverable.
Group IT Business Units
CIO
Info
rmati
on
Sec
uri
ty
IT O
per
ati
on
s
IT A
pp
lica
tion
s
Ser
vic
e D
esk
Gro
up
HR
AR
RE
Gro
up
Pro
cure
men
t
Gro
up
Au
dit
Dep
art
men
t
Gro
up
Leg
al
Dep
art
men
t
AW
R
Em
plo
yee
s
R/C/I R A/R R R R/I R/I R/I R/C/I R/I R/I
8.8.2. Mapping with ISO/IEC 27001:2013
ISO/IEC27001:2013 Control No. & Details ISO/IEC27001:2013
Section
A.13.2.3 Electronic
Messaging
Information involved in electronic
messaging shall be appropriately
protected.
A13 Communications
Security
AWR GIT Email Security Policy
Internal Page [13 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
8.8.3. Terms and Definitions
Term Definition
Access control Ways to ensure that access to assets is permitted and restricted based on
work and safety requirements;
Antivirus
Definition/
signature
Antivirus definitions are the definitions of the known viruses based on
which the antivirus software identifies presence of a virus.
Antivirus Software Antivirus or anti-virus software is software used to prevent, detect and
remove malware, such as: computer viruses.
Assets Anything that has value to the organization (information, software, the
computer itself, services, people, etc.);
Authentication Provide assurance that one characteristic claimed by an entity is correct
Availability The property of being accessible and usable by an authorized entity;
BYOD Bring your own device (BYOD) refers to the policy of permitting
employees to bring personally owned mobile devices (laptops, tablets,
and smart phones) to their workplace, and to use those devices to access
privileged company information and applications.
CD/DVD Compact disc, or CD for short, is a digital optical disc data storage
format. DVD (short for digital versatile disc) is a digital optical disc
storage format.
Chain Email An email sent to a number of people asking each recipient to send copies
with the same request to a specified number of others. The circulation of
a chain letter increases in geometrical progression as long as the
instructions are followed by all recipients.
Confidentiality Property that ensures that the information is not available or disclosed to
unauthorized individuals, entities or processes;
Corrective action Action to eliminate the cause of a detected nonconformity or other
undesirable situation;
Digital Signature Set of encrypted data associated with a document that guarantee its
integrity and authenticity.
Disaster Recovery Emergency plans to ensure the preservation of documents and own
physical integrity of the employees of an organization in case of
occurrence of natural disasters
Freeware Freeware (portmanteau of “free” and “software”) is software that is
available for use at no monetary cost, but with one or more restricted
usage rights such as source code being withheld or redistribution
prohibited.
Impact A measure of the effect of an incident, problem or change on Business
Processes. Impact is often based on how service levels will be affected.
Impact and urgency are used to assign priority.
Incident Incident is an undesirable event which may cause a temporary or
permanent disruption to the business.
Information Asset
Custodian
Asset Custodian is an individual or entity to whom routine tasks may be
delegated and who is looking after the asset on a daily basis
AWR GIT Email Security Policy
Internal Page [14 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
Information Asset
Owner
Asset Owner is an individual or entity that has management
responsibility for controlling the production, development, maintenance,
use & security of the asset
Information
Security
Preservation of confidentiality, integrity and information availability;
Information
Security
Management
System
Information Security Management System (ISMS) is a set of policies,
procedure and guidelines so established to ensure the plan, implement,
monitor, measure, and review and continually improve the effectiveness
and efficiency of ISO 27001 standard.
Information
Security Steering
Committee (ISSC)
ISSC is the management body which provides the overall direction for
the execution of the Information Security program within AWR
Information System Information system is a user computing system which is used to carry out
operations with more speed and accuracy. Such as desktop PC or laptop.
Integrity The correctness to protect property assets;
Internet Gateway Internet gateway is a router used to forward packets to the Internet and
receive packets from the Internet.
Internet Services Any services provided by AWR GIT based on World Wide Web (www)
such as surfing.
Intrusion Detection Alert the administrators to potential intruders from entering the systems.
These systems attempt to recognize a behavior / action intrusive.
IP Address The Internet Protocol (IP) is the principal communications protocol in the
Internet protocol suite for relaying datagrams across network boundaries.
Its routing function enables internetworking, and essentially establishes
the Internet.
ISO 27001 Global standards for information Security Management System.
ISP An Internet service provider (ISP) is an organization that provides
services for accessing, using, or participating in the Internet. Internet
service providers may be organized in various forms, such as
commercial, community-owned, non-profit, or otherwise privately
owned.
Junk Mail/Spam Any unsolicited mail such as advertisement, promotion etc., which may
flood the inbox.
KEDB Known Error Database is a part of the problem management module
which lists known errors and workaround for incidents.
Malware/malicious
program
Malware, short for malicious software, is software used to disrupt
computer operation, gather sensitive information, or gain access to
private computer systems It can appear in the form of code, scripts,
active content, and other software.
Memory Card A memory card or flash card is an electronic flash memory data storage
device used for storing digital information. They are commonly used in
many electronic devices, including digital cameras, mobile phones,
laptop computers, MP3 players and video game consoles.
Network Gateway Network Gateway is a router or a proxy server that routes between
networks
AWR GIT Email Security Policy
Internal Page [15 of 15]
September 2017 AWR/GIT/ ISMS/POL/ES/1.4 Version: 1.4
Network Printer A network printer is a printer that is connected to a computer network
and can be accessed from many different computers.
Operating System An operating system (OS) is a collection of software that manages
computer hardware resources and provides common services for
computer programs.
On Premises User A user whose email mailbox is configured in the on premises
environment within the organization
PC A personal computer (PC) is a general-purpose computer used for
processing, storing or transmitting the information.
Remote Access Remote access is a connection to information processing facility (such as
user system, database, network device etc.) from a remote location
through the means of tools.
Removable Storage
Device/Media
Media those are designed to be read to or written to by removable
readers, writers and drives. Such as pen drives etc.
Responsibility Responsibility to an entity for their actions and decisions;
Risk Combination of the probability of an event and its consequences;
Risk analysis The systematic use of information to identify sources and to estimate the
occurrence of a risk.
Risk management Coordinated activities to direct and control an organization in relation to
a particular risk;
Tablet PC A tablet PC, or simply tablet, is a mobile computer with display, circuitry
and battery in a single unit. Tablets are equipped with sensors, including
cameras, microphone, accelerometer and touchscreen, with finger or
stylus gestures replacing computer mouse and keyboard.
Threat A potential cause of an undesired event, which may result in damage to a
system or entity;
Trojan Horse A Trojan is non-self-replicating malware that appears to perform a
desirable function for the user but instead facilitates unauthorized access
to the user's computer system.
USB Universal Serial Bus (USB) is an industry standard that defines the
cables, connectors and communications protocols used in a bus for
connection, communication, and power supply between computers and
electronic devices.
User A person who uses the GIT Service on a day to- day basis.
Virus A computer virus is a computer program that can copy itself and infect a
computer.
Vulnerability Weakness or control of an asset, which can be exploited by threat.
Worm A computer worm is a self-replicating computer program. It uses a
computer network to send copies of itself to other nodes (computers on
the network) and it may do so without any user intervention.