|
|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator, IT users
Email addresses should be allocated on the basis of clearly defined rules. In this context, it is advisable to base the nomenclature for personal e-mail addresses on the names of the users of the IT systems (e.g. e-mail address = first eight characters of the surname). User names on IT systems which can be accessed outside the protected network should not be directly derivable from the e-mail addresses, in order to prevent intrusions into user accounts. It is important not to change addresses too frequently or make them too long and complicated. In particular, it must be ensured that non-ASCII characters such as mutated vowels are not used as part of e-mail addresses.
To impede intrusions, avoid e-mail advertisements and release as little information as possible outside the protected network, it might be advisable to assign e-mail addresses which are difficult to guess instead of addresses related directly to users and organisations, for example, surname@organization.com. However this also makes the forwarding of addresses less convenient, and can render communications with external parties more difficult.
If e-mail addresses are modified or no longer applicable, it must be ensured that e-mail bearing the old address is transferred to the new address at least for a transitional period.
In addition to personal e-mail addresses, specific organisational and specific functional e-mail addresses can also be configured in order to guarantee proper delivery to the right department, regardless of the persons involved. This is of particular importance in the case of central gathering points.
Additional controls:
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |