S 2.119 Regulations concerning the use of e-mail services

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT-user

If data are to be exchanged electronically between two or more communications partners, they must observe the following guidelines to ensure proper exchange:

• E-mails must bear unique addresses to prevent dispatch to the wrong party. Within an organisation, address books and distribution lists should be maintained to ensure that the most commonly used addresses are always correct. Test messages should be sent to newly configured e-mail addresses in order to ensure that the data is transferred correctly.

• If e-mail is sent to several recipients, the "CC" option should not be used as every recipient can then see who else has received the message. Instead, distribution lists or the "BCC" option should be used. BCC stands for blind carbon copy and recipients entered here are not told who else has received the message.

• All e-mails sent to external locations must be appended with a signature file containing the complete sender address.

• The subject of communication must always be indicated, similar to the mention of subjects in written correspondence.

• Data transmissions which have been completed should be checked for correctness. The recipient should check whether data have been received properly, and issue a confirmation to the transmitting party.

• A memory-resident virus scanner should be employed for incoming and outgoing files. Prior to their dispatch, outgoing files should be checked explicitly for computer viruses.

• If a file has been attached to an e-mail, the following information should also be submitted to the recipient:

• The type of file (e.g. Word Perfect 5.0),

• A brief description of the file contents

• A note that the file has been scanned for computer viruses

• If applicable, the type of compression program (e.g. PKZIP)

• If applicable, the type of encryption software or digital signature

The following items should not be indicated:

• Passwords allocated to classified information

• Keys used for encrypting information

In the case of most e-mail systems, information is sent in unencrypted form via open lines, and might be stored on a number of computers until it reaches the recipient. The information can be easily manipulated during its journey. In addition, senders of e-mail are in most cases able to freely enter the origin of the e-mail (From:) so that their authenticity can only be verified through double checking or the use of digital signatures. In case of doubt, the authenticity of the sender should therefore be verified through a corresponding check or - better still - through the use of encryption and/or digital signatures. In principle, the authenticity of sender details should not be taken for granted.

E-mail systems should be checked several times daily to determine whether new e-mails have arrived. Rules should be drawn up to govern the substitution of users during their prolonged absence, for example, in order to forward incoming e-mail to a stand-in.

As in most cases, it is not possible to ascertain which type of e-mail client is used by a mail recipient and which software / operating systems are used on the transmission route, users should be instructed to employ 7-bit ASCII representation for mail bodies as well as attachments. Locally applicable special characters such as mutated vowels and Greek symbols should therefore not be included in the message text. In case of doubt, attachments should be converted into 7-bit ASCII form using uuencode, for example.

All rules and instructions concerning the use of e-mail should be specified in writing and remain constantly available to employees. An appropriate draft is provided on the accompanying IT Baseline Protection Manual CD-ROM.

Personnel must be briefed before using communications services such as e-mail in order to avoid incorrect handling and ensure that internal organisational guidelines are adhered to. In particular, users should be made aware of possible threats and the related security measures to be observed during the transmission and reception of e-mail.

To prevent overloading through e-mail, employees should be briefed about the types of action which should be avoided in this context. They should be warned against participation in electronic chain-letter mailings as well as subscription to high volume mailing lists.

Users must be informed that files whose contents might cause offence should not be dispatched to others, stored on information servers, or requested from them. Furthermore, users should be instructed to observe the following rules during the use of communications services:

• Negligent or even intentional interruption of operations in progress should be avoided at all costs. Actions which should be avoided in particular include unauthorised attempts to access network services regardless of their nature, modification of information available via networks, intervention in the operating environments of other network users, and forwarding of inadvertently received details on computers and staff members to third parties.

• Information of no public relevance should not be disseminated. The overloading of networks through an arbitrary and excessive distribution of information should be avoided.

• The distribution of redundant information should be avoided.

Additional controls:

• Have regulations governing file transfer and exchange of messages with external parties been established?