S 2.123 Selection of a mail provider

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Head of IT section

Before selecting a mail provider, the responsible persons should inform themselves about the regulations laid down by the prospective provider, for example, whether upper limits have been set for the volume of incoming and outgoing e-mail, whether e-mail is filtered and, if so, according to which rules.

Confirmation of reliable operation of the provider's mail server must be obtained, i.e. the conditions specified in S 5.56 Secure Operation of a Mail Server must be fulfilled.

The mail provider stores user data for invoicing purposes (name, address, user-ID, bank account) as well as connection data and transmitted contents (over a period of time which varies from one provider to another).

Users should ask their mail provider for how long which items of data concerning them remain stored. When selecting a provider, it should be taken into account that German providers must comply with data privacy regulations applying to the processing of this information.

Through the use of encryption, users can prevent providers from being able to read the contents of the transferred data.

Large providers with their own large network have an advantage in that e-mail exchanged exclusively within this network is less susceptible to manipulation than if it were forwarded via the Internet.

Many providers whose headquarters are situated abroad route all e-mail via that country. For example, AOL (and Compuserve) route all e-mail via the US. This fact should be taken into account when determining the number of gateways via which e-mail is distributed, i.e. the number of parties who might be able to monitor the e-mail.

Additional controls:

• According to which criteria has the mail provider been selected?

• Which security measures does the mail provider implement?

• According to which criteria is e-mail filtered by the mail provider?