S 2.118 Determination of a security policy for the use of e-mail

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Before e-mail systems can be approved for use, their intended purpose must be determined. This purpose, in turn, shapes requirements concerning the confidentiality, availability, integrity and non-repudiation of the data to be transmitted as well as the e-mail program to be employed. Clarification is required as to whether e-mail is to be used exclusively for the transmission of non-binding and informal information, or whether some or all of the business transactions processed previously in writing are now to be carried out via e-mail. If the latter is true, clarification is required as to how previously hand-written remarks concerning procedures and orders, signatures and initials should now be placed electronically.

The institution must specify a security policy which describes the following items:

• The persons who are to receive e-mail connections

• The rules to be observed by e-mail administrators and e-mail users

• The degree of confidentiality and integrity up to which information may be dispatched via e-mail

• The manuals which need to be procured

• How users should be trained

• How to ensure a constant availability of technical assistance for users

Organisational rules and technical measures are required to meet, in particular, the following conditions for the proper transfer of files:

• E-mail programs intended for users should be pre-configured by the administrator so as to automatically achieve the highest possible level of security for the users (also refer to S 5.57 Secure Configuration of Mail Clients).

• Data should only be transferred following successful identification and authentication of the sender by the transmission system.

• Before making use of e-mail services for the first time, users must be briefed on how to handle the related applications. Users must be familiar with internal organisational rules concerning file transfer.

• To identify the sender of an e-mail, a signature is appended to the end of the e-mail. The contents of this signature should resemble those of a letterhead, i.e. include the user name, organisation name, telephone number etc. A signature should not be too large, as this would take up unnecessary transmission time and storage space. The agency / company should determine a standard for signature design.

• The security mechanisms in use determine the degree of confidentiality and integrity up to which files may be sent via e-mail. Clarification is required as to whether and when data to be transmitted should be encrypted and signed digitally (also refer to S 4.34 Using Encryption, Checksums or Digital Signatures). A central body must determine the applications to be employed by users for the encryption and use of digital signatures. These applications must be made available to the users, who should be briefed beforehand on how to handle the applications.

• Before the introduction of electronic communications systems, clarification is required as to the circumstances under which incoming and outgoing e-mails also need to be printed out.

• File transfer can be documented (optionally). In this case, every file transfer, together with the contents and recipient of the information, is registered in a log. Legal regulations concerning logging must be observed during the transfer of person related data.

Email intended for internal dispatch must not be allowed to leave the internal network. This must be ensured by appropriate administrative measures. For example, the transfer of e-mail between the various departments of an organisation should take place via internal, dedicated lines and not via the Internet.

In principle, messages intended for internal addresses must not be forwarded to external addresses. If an exception needs to be made, all employees must be informed duly. For example, e-mails might need to be forwarded to external points where they can be accessed by staff on external duty or other employees on business trips.

Additional controls:

• Does a security policy governing the use of e-mail exist?

• Who is responsible for answering users' queries concerning e-mail?