Search in ISMS Guides

Google
 

Tuesday, July 31, 2007

INTRODUCING AN EFFECTIVE EMAIL SECURITY POLICY

Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.

Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.

Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.

The following high level best practice statements should be adhered to as a basic minimum

• Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.

• Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.

• Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.

• Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.

From these, it is recommended that more specific corporate requirements are produced and implemented.

From : http://www.17799central.com/news.htm

No comments: