Previous
Learn how PurpleSec’s experts can help develop your organization’s cyber security policies.
Author: Rich Selvidge, CISSP / Last Updated: 8/11/22
Reviewed By: Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Anti-Spoofing: A technique for identifying and dropping units of data, called packets, that have a false source address.
Antivirus: Software used to prevent, detect, and remove malicious software.
Electronic mail system: Any computer software application that allows electronic mail to be communicated from one computing system to another.
Electronic mail (e-mail): Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.
Email spoofing: The forgery of an email header so the message appears to have originated from someone other than the actual source. The goal of email spoofing is to get recipients to open, and possibly even respond to, a solicitation to provide sensitive data or perform an action such as processing a wire transfer.
Inbound filters: A type of software based traffic filter allowing only designated traffic to flow towards a network.
Quarantine: Suspicious email message may be identified by an antivirus filter and isolated from the normal mail inbox.
SPAM: Unsolicited e-mail, usually from Internet sources. It is often referred to as junk e- mail.
E-mail at {COMPANY-NAME} must be managed as valuable and mission critical resources. Thus, this policy is established to:
The purpose of this policy is to establish rules for the use of {COMPANY-NAME} email for sending, receiving, or storing of electronic mail.
This policy applies equally to all individuals granted access privileges to any {COMPANY-NAME} information resource with the capacity to send, receive, or store electronic mail.
Individuals involved may be held liable for:
Corporate e-mail is not private. Users expressly waive any right of privacy in anything they create, store, send, or receive on {COMPANY-NAME}’s computer systems. {COMPANY-NAME} can, but is not obliged to, monitor emails without prior notification. All e-mails, files, and documents – including personal e-mails, files, and documents – are owned by {COMPANY-NAME}, may be subject to open records requests, and may be accessed in accordance with this policy.
Incoming email must be treated with the utmost care due to the inherent information security risks. An anti-virus application is used to identify malicious code(s) or files. All email is subjected to inbound filtering of e-mail attachments to scan for viruses, malicious code, or spam. Spam will be quarantined for the user to review for relevancy. Introducing a virus or malicious code to {COMPANY-NAME} systems could wreak havoc on the ability to conduct business. If the automatic scanning detects a security risk, IT must be immediately notified.
Anti-spoofing practices have been initiated for detecting spoofed emails. Employees should be diligent in identifying a spoofed email. If email spoofing has occurred, IT must be immediately notified.
Incoming emails are scanned for malicious file attachments. If an attachment is identified as having an extension known to be associated with malware, or prone to abuse by malware or bad actors or otherwise poses heightened risk, the attachment will be removed from the email prior to delivery.
Email rejection is achieved through listing domains and IP addresses associated with malicious actors. Any incoming email originating from a known malicious actor will not be delivered. Any email account misbehaving by sending out spam will be shut down. A review of the account will be performed to determine the cause of the actions.
E-mail is to be used for business purposes and in a manner that is consistent with other forms of professional business communication. All outgoing attachments are automatically scanned for virus and malicious code. The transmission of a harmful attachment can not only cause damage to the recipient’s system, but also harm {COMPANY-NAME}’s reputation. The following activities are prohibited by policy:
All confidential or sensitive {COMPANY-NAME} material transmitted via e-mail, outside {COMPANY-NAME}’s network, must be encrypted. Passwords to decrypt the data should not be sent via email.
E-mail is not secure. Users must not e-mail passwords, social security numbers, account numbers, pin numbers, dates of birth, mother’s maiden name, etc. to parties outside the {COMPANY-NAME} network without encrypting the data. All user activity on {COMPANY-NAME} information system assets is subject to logging and review. {COMPANY-NAME} has software and systems in place to monitor email usage.
E-mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of {COMPANY-NAME}, unless appropriately authorized (explicitly or implicitly) to do so.
Users must not send, forward, or receive confidential or sensitive {COMPANY-NAME} information through non-{COMPANY-NAME} email accounts. Examples of non-{COMPANY-NAME} e-mail accounts include, but are not limited to, Hotmail, Yahoo mail, AOL mail, and e- mail provided by other Internet Service Providers (ISP). Users with non-{COMPANY-NAME} issued mobile devices must adhere to the Personal Device Acceptable Use and Security Policy for sending, forwarding, receiving, or storing confidential or sensitive {COMPANY-NAME} information.
Incidental personal use of sending e-mail is restricted to {COMPANY-NAME} approved users; it does not extend to family members or other acquaintances. Without prior management approval, incidental use must not result in direct costs to {COMPANY-NAME}. Incidental use must not interfere with the normal performance of an employee’s work duties.
No files or documents may be sent or received that may cause legal liability for or embarrassment to {COMPANY-NAME}. Storage of personal files and documents within {COMPANY-NAME}’s IT systems should be nominal.
Rich Selvidge is the Chief Information Security Officer at PurpleSec, providing singular accountability for all information security controls in the company. He brings over 21 years of information technology and security risk management experience.
Security Policies