8/14/2019 ISO27k Model Policy on Email Security

1/6

NoticeBored information security awareness Email security policy

0100090000030202000002008a01000000008a01000026060f000a03574d46430100000000000100823f0000000001000000e802000000000000e8020000010000006c00000000000000000000002c00000071000000000000000000000075170000c902000020454d4600000100e80200000e00000002000000000000000000000000000000981200009e1a0000ca000000210100000000000000000000000000003e13030016670400160000000c000000180000000a00000010000000000000000000000009000000100000008d050000a7000000250000000c0000000e000080120000000c000000010000005200000070010000010000009cffffff000000000000000000000000900100000000000004400012540069006d006500730020004e0065007700200052006f006d0061006e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cb30093000000000040000000000ae30083109300000000067169001001002020603050405020304877a0020000000800800000000000000ff01000000000000540069006d00650073002000000065007700200052006f006d0061006e000000540069006d006500730020004e0065007700200052006f

006d0061006e000000a04811004c3eaf30b84811006476000800000000250000000c00000001000000180000000c00000000000002540000005400000000000000000000002c00000071000000010000005fcc874078b88740000000005a000000010000004c0000000400000000000000000000008b050000a9000000500000002000720f2d00000046000000280000001c0000004744494302000000ffffffffffffffff8e050000a800

0000000000004600000014000000080000004744494303000000250000000c0000000e0000800e000000140000000000

Copyright 2007, ISO27k implementers' forum Page 1 of 6

http://groups.google.com/group/iso27001securityhttp://groups.google.com/group/iso27001securityhttp://groups.google.com/group/iso27001security

8/14/2019 ISO27k Model Policy on Email Security

2/6

000010000000140000000400000003010800050000000b0200000000050000000c021b00e400040000002e0118001c000000fb020300010000000000bc0200000000010202225379

7374656d0000000000000000000000000000000000000000000000000000040000002d01000004000000020101001c000000fb02f0ff0000000000009001000000000440001254696d6573204e657720526f6d616e0000000000000000000000000000000000040000002d010100050000000902000000020d000000320a0e0000000100040000000000e5001b002020

0700040000002d010000030000000000

Information security policy

Email security

Version 3 DRAFT / FINAL DRAFT / APPROVED

Original author: Gary@IsecT.com

Modified by:

Policy approved by Date approved

[Insert senior manager/directorsname and job here]

[Insert approvaldate here]

Policy summaryThis policy defines and distinguished acceptable/appropriate from unacceptable/inappropriate useof electronic mail (email).

ApplicabilityThis is a standard corporate policy that applies throughout the organization as part of the corporategovernance framework. It applies to all users of the corporate email systems.

Policy Detail

Background

Email is perhaps the most important means of communication throughout the business world.Messages can be transferred quickly and conveniently across our internal network and globally viathe public Internet. However, there are risks associated with conducting business via email. Email

is not inherently secure, particularly outside our own internal network. Messages can beintercepted, stored, read, modified and forwarded to anyone, and sometimes go missing. Casualcomments may be misinterpreted and lead to contractual or other legal issues.

mailto:Gary@IsecT.commailto:Gary@IsecT.commailto:Gary@IsecT.com

8/14/2019 ISO27k Model Policy on Email Security

3/6

NoticeBored information security awareness Email security policy

Policy axioms (guiding principles)

A. Email users are responsible for avoiding practices that could compromise informationsecurity.

B. Corporate email services are provided to serve operational and administrative purposes inconnection with the business. All emails processed by the corporate IT systems andnetworks are considered to be the organizations property.

Detailed policy requirements

1. Do not use email:

To send confidential/sensitive information, particularly over the Internet, unless it is firstencrypted by an encryption system approved by Information Security;

To create, send, forward or store emails with messages or attachments that might beillegal or considered offensive by an ordinary member of the public i.e. sexually explicit,racist, defamatory, abusive, obscene, derogatory, discriminatory, threatening, harassingor otherwise offensive;

To commit the organization to a third party for example through purchase or salescontracts, job offers or price quotations, unless your are explicitly authorized bymanagement to do so (principally staff within Procurement and HR). Do not interfere withor remove the standard corporate email disclaimer automatically appended to outboundemails;

For private or charity work unconnected with the organizations legitimate business;

In ways that could be interpreted as representing or being official public statements onbehalf of the organization, unless you are a spokesperson explicitly authorized bymanagement to make such statements;

To send a message from anyone elses account or in their name (including the use of false From: addresses). If authorized by the manager, a secretary may send email onthe managers behalf but should sign the email in their own name per pro (for and onbehalf of) the manager;

To send any disruptive, offensive, unethical, illegal or otherwise inappropriate matter,including offensive comments about race, gender, colour, disability, age, sexualorientation, pornography, terrorism, religious beliefs and practice, political beliefs or national origin, hyperlinks or other references to indecent or patently offensive websitesand similar materials, jokes, chain letters, virus warnings and hoaxes, charity requests,viruses or other malicious software;

For any other illegal, unethical or unauthorized purpose.

2. Apply your professional discretion when using email, for example abiding by the generallyaccepted rules of email etiquette (see the Email security guidelines for more). Reviewemails carefully before sending, especially formal communications with external parties.

3. Do not unnecessarily disclose potentially sensitive information in out of office messages.

4. Emails on the corporate IT systems are automatically scanned for malicious software, spamand unencrypted proprietary or personal information. Unfortunately, the scanning processis not 100% effective ( e.g . compressed and encrypted attachments may not be fullyscanned), therefore undesirable/unsavory emails are sometimes delivered to users. Deletesuch emails or report them as security incidents to IT Help/Service Desk in the normal way.

5. Except when specifically authorized by management or where necessary for IT systemadministration purposes, employees must not intercept, divert, modify, delete, save or disclose emails.

6. Limited personal use of the corporate email systems is permitted at the discretion of local

Copyright 2007, ISO27k implementers' forum Page 3 of 6

8/14/2019 ISO27k Model Policy on Email Security

4/6

management provided always that it is incidental and occasional, and does not interferewith business. You should have no expectations of privacy: all emails traversing thecorporate systems and networks are subject to automated scanning and may bequarantined and/or reviewed by authorized employees.

7. Do not use Gmail, Hotmail, Yahoo or similar external/third-party email services (commonly

known as webmail) for business purposes. Do not forward or auto-forward corporateemail to external/third party email systems. [You may access your own webmail viacorporate IT facilities at local management discretion provided that such personal use isstrictly limited and is not considered private (see previous statement).]

8. Be reasonable about the number and size of emails you send and save. Periodically clear out your mailbox, deleting old emails that are no longer required and filing messages thatneed to be kept under appropriate email folders. Send important emails for archivalaccording to the email archival policy .

ResponsibilitiesInformation Security Management is responsible for maintaining this policy andadvising generally on information security controls. Working in conjunction with other corporate functions, it is also responsible for running educational activities to raiseawareness and understanding of the responsibilities identified in this policy.

IT Department is responsible for building, configuring, operating and maintaining thecorporate email facilities (including anti-spam, anti-malware and other email securitycontrols) in accordance with this policy.

IT Help/Service Desk is responsible for assisting users with secure use of emailfacilities, and acts as a focal point for reporting email security incidents.

All relevant employees are responsible for complying with this and other corporatepolicies at all times. This policy also applies to third party employees acting in a similar capacity whether they are explicitly bound ( e.g . by contractual terms and conditions) or implicitly bound ( e.g . by generally held standards of acceptable behavior) to comply withour information security policies.

Internal Audit is authorized to assess compliance with this and other corporate policiesat any time.

Related policies, standards and guidelines

Item Relevance

Information securitypolicy manual

Defines the overarching set of information security controls reflectingISO/IEC 27002, the international standard code of practice for informationsecurity management

Email archival policy Explains the rules regarding backups, archives and retrieval of importantemails.

Email securityguidelines, top tips

etc .

General advice for email users, first released through the securityawareness program in September 2007. Includes advice on emailetiquette, avoiding phishing emails and virus-infected emails etc .

8/14/2019 ISO27k Model Policy on Email Security

5/6

NoticeBored information security awareness Email security policy

ContactsFor further information about this policy or information security in general, contact the InformationSecurity Manager. A variety of standards, procedures, guidelines and other materials supportingand expanding upon this and other information security policies are available in the organizationsInformation Security Manual, on the corporate intranet and through the Information SecurityManager. Local IT/information security contacts throughout the organization can also providegeneral guidance on the implementation of this policy - contact your line manager or the ITHelp/Service Desk for advice.

Copyright 2007, ISO27k implementers' forum Page 5 of 6

8/14/2019 ISO27k Model Policy on Email Security

6/6

Important note from IsecT Ltd.

mmonplace controls in this area. Because it is generic, it cannot fully reflect every users requirements.

s provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed t