Scribd Logo
Importer

Bienvenue sur Scribd !

  • ISO27k Model Policy On Email Security

    Transféré par

    vishnukesarwani
    237 vues6 pages
    Email security policy Page 1 of 6 - DRAFT / FINAL DRAFT/ APPROVED Original author: [Insert senior manager / director's name here] policy summary This policy outlines the company's policy on email security.

    Description originale:

    Titre original

    ISO27k Model Policy on Email Security

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formats disponibles

    RTF, PDF, TXT ou lisez en ligne sur Scribd

    Avez-vous trouvé ce document utile ?

    Ce contenu est-il inapproprié ?

    Signaler ce document
    Email security policy Page 1 of 6 - DRAFT / FINAL DRAFT/ APPROVED Original author: [Insert senior manager / director's name here] policy summary This policy outlines the company's policy on email security.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme RTF, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    237 vues6 pages

    ISO27k Model Policy On Email Security

    Transféré par

    vishnukesarwani
    Email security policy Page 1 of 6 - DRAFT / FINAL DRAFT/ APPROVED Original author: [Insert senior manager / director's name here] policy summary This policy outlines the company's policy on email security.

    Droits d'auteur :

    Attribution Non-Commercial (BY-NC)
    Téléchargez comme RTF, PDF, TXT ou lisez en ligne sur Scribd
    Signaler comme contenu inapproprié
    sur 6

    NoticeBored information security awareness Email security policy

    0100090000030202000002008a01000000008a0100002606
    0f000a03574d46430100000000000100823f000000000100
    0000e802000000000000e8020000010000006c0000000000
    0000000000002c0000007100000000000000000000007517
    0000c902000020454d4600000100e80200000e0000000200
    0000000000000000000000000000981200009e1a0000ca00
    0000210100000000000000000000000000003e1303001667
    0400160000000c000000180000000a000000100000000000
    00000000000009000000100000008d050000a70000002500
    00000c0000000e000080120000000c000000010000005200
    000070010000010000009cffffff0000000000000000000000
    00900100000000000004400012540069006d006500730020
    004e0065007700200052006f006d0061006e000000000000
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
    000000000000000000000000000000000000000000000000
    00cb30093000000000040000000000ae3008310930000000
    0067169001001002020603050405020304877a0020000000
    800800000000000000ff01000000000000540069006d0065
    0073002000000065007700200052006f006d0061006e0000
    00540069006d006500730020004e0065007700200052006f
    006d0061006e000000a04811004c3eaf30b8481100647600
    0800000000250000000c00000001000000180000000c0000
    0000000002540000005400000000000000000000002c0000
    0071000000010000005fcc874078b88740000000005a0000
    00010000004c0000000400000000000000000000008b0500
    00a9000000500000002000720f2d00000046000000280000
    001c0000004744494302000000ffffffffffffffff8e050000a800
    000000000000460000001400000008000000474449430300
    0000250000000c0000000e0000800e000000140000000000

    Copyright © 2007, ISO27k implementers' forum Page 1 of 6


    000010000000140000000400000003010800050000000b02
    00000000050000000c021b00e400040000002e0118001c00
    0000fb020300010000000000bc0200000000010202225379
    7374656d0000000000000000000000000000000000000000
    000000000000040000002d01000004000000020101001c00
    0000fb02f0ff0000000000009001000000000440001254696
    d6573204e657720526f6d616e00000000000000000000000
    00000000000040000002d010100050000000902000000020
    d000000320a0e0000000100040000000000e5001b002020
    0700040000002d010000030000000000
    Information security policy

    Email security

    Version 3 – DRAFT / FINAL DRAFT / APPROVED


    Original author: Gary@IsecT.com
    Modified by:

    Policy approved by Date approved


    [Insert senior manager/director’s [Insert approval
    name and job here] date here]

    Policy summary
    This policy defines and distinguished acceptable/appropriate from unacceptable/inappropriate use
    of electronic mail (email).

    Applicability
    This is a standard corporate policy that applies throughout the organization as part of the corporate
    governance framework. It applies to all users of the corporate email systems.

    Policy Detail
    Background
    Email is perhaps the most important means of communication throughout the business world.
    Messages can be transferred quickly and conveniently across our internal network and globally via
    the public Internet. However, there are risks associated with conducting business via email. Email
    is not inherently secure, particularly outside our own internal network. Messages can be
    intercepted, stored, read, modified and forwarded to anyone, and sometimes go missing. Casual
    comments may be misinterpreted and lead to contractual or other legal issues.
    NoticeBored information security awareness Email security policy

    Policy axioms (guiding principles)


    A. Email users are responsible for avoiding practices that could compromise information
    security.
    B. Corporate email services are provided to serve operational and administrative purposes in
    connection with the business. All emails processed by the corporate IT systems and
    networks are considered to be the organization’s property.

    Detailed policy requirements


    1. Do not use email:
     To send confidential/sensitive information, particularly over the Internet, unless it is first
    encrypted by an encryption system approved by Information Security;
     To create, send, forward or store emails with messages or attachments that might be
    illegal or considered offensive by an ordinary member of the public i.e. sexually explicit,
    racist, defamatory, abusive, obscene, derogatory, discriminatory, threatening, harassing
    or otherwise offensive;
     To commit the organization to a third party for example through purchase or sales
    contracts, job offers or price quotations, unless your are explicitly authorized by
    management to do so (principally staff within Procurement and HR). Do not interfere with
    or remove the standard corporate email disclaimer automatically appended to outbound
    emails;
     For private or charity work unconnected with the organization’s legitimate business;
     In ways that could be interpreted as representing or being official public statements on
    behalf of the organization, unless you are a spokesperson explicitly authorized by
    management to make such statements;
     To send a message from anyone else’s account or in their name (including the use of
    false ‘From:’ addresses). If authorized by the manager, a secretary may send email on
    the manager’s behalf but should sign the email in their own name per pro (‘for and on
    behalf of’) the manager;
     To send any disruptive, offensive, unethical, illegal or otherwise inappropriate matter,
    including offensive comments about race, gender, colour, disability, age, sexual
    orientation, pornography, terrorism, religious beliefs and practice, political beliefs or
    national origin, hyperlinks or other references to indecent or patently offensive websites
    and similar materials, jokes, chain letters, virus warnings and hoaxes, charity requests,
    viruses or other malicious software;
     For any other illegal, unethical or unauthorized purpose.
    2. Apply your professional discretion when using email, for example abiding by the generally
    accepted rules of email etiquette (see the Email security guidelines for more). Review
    emails carefully before sending, especially formal communications with external parties.
    3. Do not unnecessarily disclose potentially sensitive information in “out of office” messages.
    4. Emails on the corporate IT systems are automatically scanned for malicious software, spam
    and unencrypted proprietary or personal information. Unfortunately, the scanning process
    is not 100% effective (e.g. compressed and encrypted attachments may not be fully
    scanned), therefore undesirable/unsavory emails are sometimes delivered to users. Delete
    such emails or report them as security incidents to IT Help/Service Desk in the normal way.
    5. Except when specifically authorized by management or where necessary for IT system
    administration purposes, employees must not intercept, divert, modify, delete, save or
    disclose emails.
    6. Limited personal use of the corporate email systems is permitted at the discretion of local

    Copyright © 2007, ISO27k implementers' forum Page 3 of 6


    management provided always that it is incidental and occasional, and does not interfere
    with business. You should have no expectations of privacy: all emails traversing the
    corporate systems and networks are subject to automated scanning and may be
    quarantined and/or reviewed by authorized employees.
    7. Do not use Gmail, Hotmail, Yahoo or similar external/third-party email services (commonly
    known as “webmail”) for business purposes. Do not forward or auto-forward corporate
    email to external/third party email systems. [You may access your own webmail via
    corporate IT facilities at local management discretion provided that such personal use is
    strictly limited and is not considered private (see previous statement).]
    8. Be reasonable about the number and size of emails you send and save. Periodically clear
    out your mailbox, deleting old emails that are no longer required and filing messages that
    need to be kept under appropriate email folders. Send important emails for archival
    according to the email archival policy.

    Responsibilities
     Information Security Management is responsible for maintaining this policy and
    advising generally on information security controls. Working in conjunction with other
    corporate functions, it is also responsible for running educational activities to raise
    awareness and understanding of the responsibilities identified in this policy.
     IT Department is responsible for building, configuring, operating and maintaining the
    corporate email facilities (including anti-spam, anti-malware and other email security
    controls) in accordance with this policy.
     IT Help/Service Desk is responsible for assisting users with secure use of email
    facilities, and acts as a focal point for reporting email security incidents.
     All relevant employees are responsible for complying with this and other corporate
    policies at all times. This policy also applies to third party employees acting in a similar
    capacity whether they are explicitly bound (e.g. by contractual terms and conditions) or
    implicitly bound (e.g. by generally held standards of acceptable behavior) to comply with
    our information security policies.
     Internal Audit is authorized to assess compliance with this and other corporate policies
    at any time.

    Related policies, standards and guidelines


    Item Relevance
    Defines the overarching set of information security controls reflecting
    Information security
    ISO/IEC 27002, the international standard code of practice for information
    policy manual
    security management

    Explains the rules regarding backups, archives and retrieval of important


    Email archival policy
    emails.

    Email security General advice for email users, first released through the security
    guidelines, top tips awareness program in September 2007. Includes advice on email
    etc. etiquette, avoiding phishing emails and virus-infected emails etc.
    NoticeBored information security awareness Email security policy

    Contacts
    For further information about this policy or information security in general, contact the Information
    Security Manager. A variety of standards, procedures, guidelines and other materials supporting
    and expanding upon this and other information security policies are available in the organization’s
    Information Security Manual, on the corporate intranet and through the Information Security
    Manager. Local IT/information security contacts throughout the organization can also provide
    general guidance on the implementation of this policy - contact your line manager or the IT
    Help/Service Desk for advice.

    Copyright © 2007, ISO27k implementers' forum Page 5 of 6


    Important note from IsecT Ltd.

    f commonplace controls in this area. Because it is generic, it cannot fully reflect every user’s requirements.
    this provided that (a) it is not sold or incorporated into a commercial product, (b) it is properly attributed to

    Vous aimerez peut-être aussi