S 2.121 Regular deletion of e-mails

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: IT-user

Email should not remain stored on the stack of incoming mail for an unnecessarily long period of time. E-mail should either be deleted after it has been read, or relocated to a corresponding user directory if it is to be retained. If too much e-mail is archived on the incoming stack, the IT system (mail server or mail client) managing this stack will reject new incoming e-mail if the storage space becomes insufficient.

Users must be informed that e-mail which they have deleted via their mail application is usually not erased irrevocably. Instead of deleting e-mail immediately, many programs transfer it to a special folder. Users must be briefed on how to completely delete e-mail on their clients.

Even after having been deleted completely on a client, e-mail may still be present on a mail server. Many Internet providers and administrators archive incoming and outgoing e-mail. Instead of deleting e-mail, many mail applications transfer it to a cybernetic rubbish bin which is emptied every now and then.

Users must be made aware of the fact that the confidentiality of e-mail can only be ensured by encryption, and not necessarily by quick deletion following receipt.

Additional controls:

• Do users know how to delete their e-mail?