Email Services Policy
Email Services Policy. Version v1 r4, released Oct. 24, 2014.
EMG3-106 Exch2K3: E-mail services and servers are not protected by routing all SMTP traffic through an Edge Transport Server.
Procedure: Interview the IAO. Review documentation that describes the infrastructure for E-mail services. Verify that an Edge Transport Server (or E-mail Secure Gateway) is installed and active on the network. Ensure that all inbound and outbound E-mail messages pass through and are examined by a perimeter-based Edge Transport Server. Criteria: If the site employs an Edge Transport Server or E-mail Secure Gateway. Ensure that all inbound and outbound E-mail messages are routed through the gateway.
Discussion
Separation of roles supports operational security for application and protocol services. Since 2006, Microsoft best practices had taken the direction of creating operational “roles” for servers within E-mail services. The Edge Transport server role (also called the E-mail Secure Gateway) was created to focus authentication and sanitization tasks in one server, to provide Internet facing protection for internal E-mail servers. Microsoft Exchange 2003 does not offer the Edge Transport server role. In the E-mail services infrastructure, it has become imperative that inbound messages be examined prior to their being forwarded into the enclave, primarily due to the amount of SPAM and malware contained in the message stream. Similarly, outbound messages must be examined so that an organization might locate, or perhaps intercept, messages with potential data spillage of sensitive or important information. The Edge Transport E-mail server role, which includes ‘appliances’ such as “Iron Port”, “Iron Mail” and the like, is designed to group protective measures for both inbound and outbound messages. Its charter is to face the Internet, and to scrutinize all SMTP traffic, to determine whether to grant continued passage to its destination Inbound E-mail sanitization steps include (but are not limited to) the following: • Sender Authentication • Sender Reputation Evaluation (White-listing and Black-listing) • SPAM content scoring • Virus and Malware removal • Web Link URL evaluation • Absent sender information • SPOOFED domain sources (such as the local domain appearing as inbound mail) • 0-Day attack detection • Archiving or Quarantining trapped messages • Alerting and Reporting when configured items are identified. Failure to implement an E-mail Secure Gateway increases risk that raw messages will reach the internal servers and networks, thereby increasing risk of their compromise. Even though Exchange 2003 E-mail Services are able to perform many of these evaluations, their Windows domain membership requires that they be internal to the enclave rather than expose the domain interaction to the Public Internet. Attempting to sanitize E-mail after it arrives inside the domain is not longer an acceptable or effective security measure. By using an Edge Transport Server (E-mail Secure Gateway), any SMPT-specific attack vectors are more optimally secured.
Fix
Procedure: Install and configure an Edge Transport Server role in the infrastructure. Ensure that all SMTP traffic passes through this gateway, prior to forwarding messages into the enclave mail servers.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
EMG3-009 EMail: E-mail backup and recovery data is not protected.
Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan documentation that describes protections for the Backup and Recovery data. Direct access must be granted to only processes and personnel who are responsible for handling that data. Criteria: If E-mail backup and recovery data and processes are restricted to authorized groups, this is not a finding.
Discussion
All automated information systems are at risk of data loss due to disaster or compromise. Failure to provide adequate protection to the backup and recovery data exposes it to risk of potential theft or damage that may ultimately prevent a successful restoration, should the need become necessary. Adequate protection ensures that backup components can be used to provide transparent or easy recovery from losses or operations outages. Backup files need the same protections against unauthorized access when stored on backup media as when online and actively in use by the E-mail system. Included in this category are physical media, online configuration file copies, and any user data that will need to be restored.
Fix
Ensure that only E-mail Administrator and authorized backup and restore personnel have access to Exchange 2003 backup and restore data.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-015 EMail: Annual procedural reviews are not conducted at the site.
Review procedures and implementation evidence of annual reviews of Exchange 2003 E-mail Services Information Assurance (IA) policy and procedures. If procedures do not exist, are incomplete, or are not implemented and followed annually or more frequently, then this is a finding. Criteria: If procedures exist, are complete, and annual reviews are conducted annually, this is not a finding.
Discussion
A regular review of current E-mail security policies and procedures is necessary to maintain the desired security posture of E-mail services. Policies and procedures should be measured against current Department of Defense (DoD) policy, Security Technical Implementation Guide (STIG) guidance, vendor-specific guidance and recommendations, and site-specific or other security policy.
Fix
Procedure: Ensure that procedures exist, and that annual reviews are scheduled and completed.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-050 EMail: E-mail Services are not documented in System Security Plan.
Interview the IAO. Review the System Security Plan for E-mail services. Review coverage of the following in the System Security Plan: - technical, administrative, and procedural IA program and policies that govern E-mail services - identification of all IA roles and assignments(IAM, IAO, DBA, SA) - specific IA requirements and objectives such as unique security considerations and outage contingency plans. Criteria: If E-mail services are documented in the System Security Plan, this is not a finding.
Discussion
A System Security Plan defines the security procedures and policies applicable to the Automated Information System (AIS). It includes definition of responsibilities and qualifications for those responsible for administering the security of the AIS. For E-mail services, this includes specifically the E-mail Administrator in addition to the standard System Administration (SA) and Information Assurance Officer (IAO) roles. Without a System Security Plan, unqualified personnel may be assigned responsibilities that they are incapable of meeting and E-mail security is prone to an inconsistent or incomplete implementation. Security controls applicable to E-mail services may not be documented, tracked, or followed if not identified in the System Security Plan. Any omission of security control consideration could lead to an exploit of E-mail services vulnerabilities.
Fix
Procedure: Establish a System Security Plan E-mail services component.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-006 E-mail: Audit logs are not included in backups.
Interview the E-mail Administrator or the IAO. Access documentation that describes inclusion of Exchange audit data with the weekly backups. Audit data specific to Exchange 2003 services are located in %systemroot\system32\logfiles. Verify that this directory is included in backup strategy to preserve log history. Criteria: If Audit records are backed up at least weekly on to a different system or media, this is not a finding.
Discussion
Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. Audit logs are essential to the investigation and prosecution of unauthorized access to Exchange 2003 software and data. Unless audit logs are available for review, the extent of data compromise may not be determined and the vulnerability exploited may not be discovered. Undiscovered vulnerabilities could lead to additional or prolonged compromise of the data. Audit records should be backed up not less than weekly on to a different system or media than the system being audited, to ensure preservation of audit history.
Fix
Ensure that Exchange 2003 audit records are backed up at least weekly on to a different system or media.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-010 EMail: E-mail critical software copies are not stored offsite in a fire rated container.
Interview the E-Mail Administrator or IAO. Reference a copy of the System Security Plan. Procedure: Review the application software baseline procedures and implementation evidence. Review the list of files and directories included in the baseline procedure for completeness. Criteria: If E-mail software copy exists to serve as a baseline and is available for comparison during scanning efforts, this is not a finding.
Discussion
There is always potential that accidental loss can cause system loss and that restoration will be needed. In the event that the installation site is compromised, damaged or destroyed, copies of critical software media may be needed to recover the systems and become operational. Copies of the operating system (OS) and other critical software such as E-mail services applications must be created and stored off site in a fire rated container. If a site experiences loss or compromise of the installed software libraries, available copies can reduce the risk and shorten the time period for a successful E-mail services recovery.
Fix
Procedure: Create E-mail Software Copies for use in recovering systems, should they be needed. Ensure that the copies are stored off site and that details are documented in the system security plan.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG0-056 EMail: The E-mail Administrator role is not assigned and authorized by the IAO.
Procedure: Review the documented procedures for approval and granting of E-mail Administrator Privileges. Review implementation evidence for the procedures. Criteria: If the E-mail Administrator role is documented and authorized by the IAO, this is not a finding.
Discussion
Separation of roles supports operational security for application as well as human resources. Roles accompanied by elevated privileges, such as that of the E-Mail Administrator, must be carefully regulated and monitored. All appointments to Information Assurance (IA) roles, such as Designated Approving Authority (DAA), Information Assurance Manager (IAM), and Information Assurance Officer (IAO) are in writing, and include assigned duties and appointment criteria such as training, clearance and IT designation. The E-mail Administrator role is assigned and controlled by the IAM. The IAM role owns the responsibility to document responsibilities, privileges, training and scope for the E-mail Administrator role. It is with this definition that the IAO is able to monitor assigned resources, ensuring that intended tasks are completed, and that elevated privileges are not used for purposes beyond their intended tasks.
Fix
Procedure: Establish a procedure that ensures the E-mail Administrator role is defined and authorized (assigned) as documented by the IAO.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
EMG0-090 EMail: E-mail acceptable use policy is not documented in the System Security Plan or does not require annual user review.
Procedure: Interview the IAO. Access the documentation that describes the E-mail Acceptable Use Policy that is followed at the site. The Acceptable Use Policy serves as training for users and sets expectations for E-mail parameters. Criteria: If the E-mail Acceptable Use Policy is documented in the System Security Plan and requires annual user review with signature acknowledgement, this is not a finding.
Discussion
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. An E-mail Acceptable Use Policy is a set of rules that describe IA operation and expected user behavior with regard to E-mail services. Formal creation and use of an E-mail Acceptable Use policy protects both organization and users by declaring boundaries, operational processes, and user training surrounding HelpDesk procedures, legal constraints and E-mail based threats that may be encountered. The Acceptable Use Policy should be distributed to each new E-mail user, as a requirement for obtaining an E-mail account. The policy must also be annually updated, then subject to repeat review by users. Requiring signed acknowledgement of the rules should be a condition of continued access to the E-mail system.
Fix
Procedure: Implement an E-mail Acceptable Use Policy that is documented in the System Security Plan or at the organizational level, and requires signed annual review by users.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
EMG3-045 EMail: E-Mail Configuration Management (CM) procedures are not implemented.
Procedure: Interview the E-mail Administrator or the IAO to ask if CM procedures are in place to prevent untested and uncontrolled software modifications to the production system. Access documentation demonstrating process, scheduling, and signoff procedures. Criteria: If CM procedures are documented and implemented, this is not a finding.
Discussion
Uncontrolled, untested, or unmanaged changes can result in an unreliable security posture. All software libraries related to E-mail services must be reviewed, considered, and the responsibility for Configuration Management (CM) assigned to ensure that no libraries or configurations are left unaddressed. This is true even if CM responsibilities appear to cross organizational boundaries.
Fix
Procedure: Implement Configuration Management procedures; document them and follow them. Ensure that patches, configurations, and upgrades are addressed. Process steps should have specific procedures and responsibilities assigned.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG0-075 EMail: E-mail Administrator Groups do not ensure least privilege.
Procedure: Interview the E-mail administrator or the IAO. Review documentation that describes division of duties by role in the E-mail administration assignments. Criteria: If E-mail Administrator tasks are assigned to a defined role in the organization, and the role is operating at least privilege for the tasks, this is not a finding.
Discussion
When an oversight responsibility is assigned to the same person performing the actions being overseen, the function of oversight is compromised. When the responsibility to manage or control one application or activity is assigned to one party yet another party is also assigned the privilege to the same actions, then neither party can logically be held responsible for those action. By separating responsibility and permissions by role, accountability is achieved. Roles, once defined, can then be used as “groups” with permissions granted, in the AD domain. Microsoft names three roles for E-mail administration as a starting point (appearing in diminishing order): E-mail Full Administrator, E-mail Administrator, and E-Mail View-Only Administrator. Because Exchange 2003 is an application, all three roles are subordinate to OS Administrator roles. E-mail Full Administrator has the ability to install the application and configure the access and operational parameters, perform user and configuration setup, and view all aspects of E-mail configuration and performance. The Exchange Installation account would be a good candidate for this group. E-mail Administrator is able to perform user and configuration setup, and view all aspects of e-mail configuration and performance. Operational tasks and administrators would be good candidates for this role. E-mail View-Only Administrator is able to view all aspects of E-mail configuration and performance. Persons or utilities that monitor throughput, connector, and queue performance would be a good candidate for this group. Further granularity is possible, and often makes sense to do, enabling each role to operate using the least possible permissions to perform the role.
Fix
Procedure: Create, or have created, Policies / OUs / Security Groups to define roles and permissions for the E-mail Administration team. Verify that each role is commensurate with least possible permission to perform the associated tasks.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-028 EMail: E-mail software installation account usage is not logged.
Procedure: Interview the IAO or E-mail Administator. Verify implementation of logging procedures defined for use of the Exchange 2003 installation account. Criteria: If E-mail software installation account usage is logged, this is not a finding.
Discussion
E-mail Administrator or application owner accounts are granted more enhanced privileges than non-privileged users. It is especially important to grant access to privileged accounts to only those persons who are qualified and authorized to use them. Each use of the account should be logged to demonstrate this accountability.
Fix
Procedure: Develop and implement a logging procedure for use of the Exchange 2003 software installation account that provides accountability to individuals for any actions taken by the account.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
EMG3-020 Exch: Exchange with Outlook Web Access is not deployed as Front-end/Back-end Architecture.
Interview the E-mail administrator or the Information Assurance Officer (IAO). Access the documented topography diagrams and System Security plan information. Sites offering Outlook Web Access (OWA) for remote E-mail access from the Internet should have an Exchange 2003 front-end server. In E-mail environments where OWA is not offered, front-end servers are not needed. Criteria: If the Exchange deployment model is a multi-server environment with OWA and is using a front-end/back-end architecture, this is not a finding.
Discussion
Microsoft® Exchange supports a server architecture that distributes server tasks among front-end and back-end servers. Front-end/back-end architecture provides for logical separation of protocols, user traffic, and the subsequent ability to secure each of these aspects of E-Mail technology using discrete security techniques that are appropriate for each. In this architecture, a front-end server accepts requests from clients and proxies them to the appropriate back-end server for processing and offloads the SSL encryption The term "back-end server" refers to all servers in an organization that are not front-end servers after a front-end server is introduced into the organization. In a multi-server environment, one or more back-end servers may be cast in the role of ‘Bridgehead’ server. Bridgehead servers are used in large domains that deploy mailbox servers in multiple locations, sometimes spanning wide area network (WAN) (or other slow) connections, or require careful bandwidth management for other reasons. Bridgehead servers work in pairs, one at each side of a location, to manage replication and distribution tasks. The primary advantage of the front-end/back-end server architecture is the ability to expose a single, consistent namespace to end users, for example, https://mail.mycompany.com. Without a front-end server, users must know the name of the server that stores their mailbox.
Fix
For OWA enabled environments, the environment should be re-engineered to add at least one front-end server. Consult with network and protocol requirements for additional requirements such as perimeter protection, protocol paths and other configuration requirements that some Exchange configurations assume are in place.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-108 Exch2K3: E-mail web services are not protected by having an application proxy server outside the enclave.
For sites not using Exchange 2003 E-mail web services, this check is N/A. Procedure: Interview the IAO. Access documentation that describes the E-mail services infrastructure. Verify that a proxy server such as Microsoft ISA server 2006 is installed and requires CAC authentication, is a member of the local Windows domain, and initiates a new security context for the transaction. Criteria: If the site employs an application proxy server such as Microsoft ISA, that requires CAC authentication, FIPS 140-2 encryption, and URL evaluation, this is not a finding.
Discussion
Separation of roles supports operational security for application and protocol services. The HTTP path to web sites is a proven convenience in requiring only a browser to access them, but is simultaneously a well known attack vector for people and applications that would attempt to gain unwelcome admittance. Web-based applications such as Exchange 2003 Outlook Web Access (OWA) reside on Windows domain Member Servers, and are classified as ‘internal’, or private web servers. In order for the DoD to grant web-based access to E-mail services, careful authentication, encryption, and other precautions are needed. Authentication, via Common Access Card, is not a feature of Exchange 2003. Add to that, it is risky to admit Internet-sourced web traffic, even with SSL or TLS encryption, into the enclave without some inspection, such as for suspicious URL formation. Also, ensuring that only the desired protocols are allowed reduces risk as well as excess traffic. An application proxy server, such as Microsoft Internet Security and Acceleration (ISA) server is an effective firewall and proxy that offers all of these features when properly equipped and configured. Failure to require CAC authentication of each user, a new security context for the transaction, and FIPS 140-2 compliant encryption for the Internet leg of the transaction, all increase risk of compromise to the OWA web server.
Fix
Procedure: Install an application proxy server capable of authenticating a CAC-enabled transaction, continue the transaction in a new security context, and require FIPS 140-2 encryption for the Internet connection to the end user.
Rating Info
DISA Cat I. NIST impact 4.
Expert Comment
None
EMG3-007 EMail: E-mail backups do not meet schedule or storage requirements.
Procedure: Interview the IAO. Access the site's System Security Plan. Review backup frequency schedule. Also, review file locations, access protections and procedures for offline files, and storage methods. Criteria: If E-mail backups are conducted on schedule and are stored appropriately, this is not a finding.
Discussion
Hardware failures or other (sometimes physical) disasters can cause data loss to active applications, and the need for expedient recovery. Ensuring that backups are conducted on an agreed schedule creates a timely copy from which to recover active systems. Storing backup contents at a separate physical location protects the backup data from site-specific physical disasters. Backup schedule and storage location are determined in accordance with the MAC category and confidentiality level.
Fix
Procedure: Perform followup to ensure that E-mail backups are conducted on schedule and are stored appropriately
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-005 EMail: The E-mail backup and recovery strategy is not documented or is not tested on an INFOCON compliant frequency.
Procedure: Interview the E-mail Administrator or the IAO. Access the System Security Plan or other documentation that describes the backup and recovery strategy for Exchange 2003 E-mail servers. The documentation should detail specifically what files and data stores are saved, including the frequency and schedules of the saves (as required by INFOCON levels), and recovery plans (should they become necessary). The recovery plan should also state a periodic recovery rehearsal to ensure the backup strategy is sound. Criteria: If E-mail Backup and Recovery strategy is documented and periodically tested, this is not a finding.
Discussion
A disaster plan exists that provides for the smooth transfer of all mission or business essential functions to an alternate site for the duration of an event with little or no loss of operational continuity. The backup and recovery plan should include business recovery, system contingency, facility disaster recovery plans and plan acceptance.
Fix
Ensure that the E-mail Backup and Recovery Strategy is documented in the site Disaster Recovery Plan, with components, locations and directions, and is tested according to INFOCON frequency requirements.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
EMG3-079 EMail: Automated audit reporting tools are not available.
Interview the IAO or the E-mail administrator. Review automated tool usage for reporting of audit trail data. Criteria: If automated tools are available for review and reporting on E-mail Service audit records, this is not a finding.
Discussion
Monitors are automated “process watchers” that respond to performance changes, and can be useful in detecting outages and alerting administrators where attention is needed. Log files help establish a history of activities, and can be useful in detecting attack attempts or determining tuning adjustments to improve availability. However, audit record collection may quickly overwhelm storage resources and an auditor’s ability to review it in a productive manner. Add to that, an audit trail that is not monitored for detection of suspicious activities provides little value. Regular or daily review of audit logs not only leads to the earliest possible notice of a compromise, but can also minimize the extent of the compromise. Automated Log Monitoring gives the additional boost to the monitoring process, in that noteworthy events are more immediately detected, provided they have been defined to the automated monitoring process. Log data can be mined for specific events, and upon detection, they can be analyzed and summarized by such tools to provide choices for alert methods, reports, trend analyses, attack scenario solutions.
Fix
Procedure: Ensure that automated tools are implemented and available for review and reporting on E-mail Service audit records.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-071 EMail: E-mail audit records are not retained for 1 year.
Interview the IAO or E-mail Administrator. Access documentation that describes data retention for audit records. Criteria: If E-mail audit records are retained for required time period (1 year), this is not a finding.
Discussion
Audit data retention serves as a history that can aid in determining actions executed by users and administrators. Reasons for such research include both malicious actions that may have been perpetrated, as well as legal evidence that might be needed for proof of activity. Audit data records are required to be retained for a period of 1 year.
Fix
Procedure: Ensure that E-mail audit records are categorized and retained for required time period of 1 year.
Rating Info
DISA Cat II. NIST impact 3.
Expert Comment
None
EMG3-037 EMail: E-mail audit trails are not reviewed daily.
Interview the IAO. Review the audit trail review procedures in the System Security plan. The procedures should include evidence of the occurence and frequency of reviews. Also review the evidence of review results. Criteria: If Audit trail review procedures and evidence of reviews exist, this is not a finding.
Discussion
Access to E-mail services and software is logged to establish a history of actions taken in the system. Unauthorized access or use of the system could indicate an attempt to bypass established permissions. Reviewing the log history can lead to discovery of unauthorized access attempts. Reviewing the logs daily helps to ensure that prompt attention is given to any suspicious activities discovered therein.
Fix
Procedure: Develop and implement procedures to review audit records daily. Include procedures for response to indications of access by unauthorized usage.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None
EMG0-092 EMail: E-mail Acceptable Use Policy does not contain required elements.
Procedure: Interview the IAO. Access documentation that describes the elements included in the E-mail Acceptable Use policy. User education elements should include such elements as: • Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. • SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. • Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. • Security Constraints; Forbidden attachment types and security reasons for each. •“Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. • Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: • Acceptable Use Policy location; for ongoing reference if needed. • E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. • E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. • Legal issues; what constitutes harassment, threats, or inappropriate language. • E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. • Constraints; Mailbox, message, and attachment size limitations. • Policies; Data retention, type of servers, server uptime and maintenance schedules • Penalties for violating E-mail Acceptable Use Policy • Schedule for Periodic review, format for signoff Criteria: If the E-mail Acceptable Use Policy contains required elements, this is not a finding.
Discussion
E-mail is only as secure as the recipient, which can be either a server or a human (client). Add to that, the surest way to prevent SPAM and other malware from entering the E-mail message transfer path by using secure IA measures at the point of origin. For inbound messages, that point is at the perimeter, where the Edge Transport Role server performs authentication and sanitization measures on the messages. For outbound messages, that point is the human user, who (with assistance from a client application such as Outlook) must use care with actions taken when reading or creating E-mail messages. E-mail Acceptable Use Policy statements must include, among other items, user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. User education elements should include such elements as: Classification and Sensitivity Labeling; A user’s electronic signature is the stamp of authenticity that enables information to be trusted. SPAM and PHISHING recognition; The ability to recognize non-authentic messages is key to protecting the organization against user manipulation that results from false information. Acceptable and non-acceptable text content; Users should also be acquainted with legal responsibilities surrounding harassment, soliciting, or distribution of inappropriate content as outlined by the organization. Security Constraints; Forbidden attachment types and security reasons for each. “Personal business” usage policy; Message content guidelines, attention to CC: lists, information sensitivity, chain letters, and spillage prevention. Request help; how to report if you are a witnesses or victim of misuse, phone numbers for support, troubleshooting, how to request an account for a new user. User expectations elements should include such elements as: Acceptable Use Policy location; for ongoing reference if needed. E-mail types of services offered; for example, Outlook, OWA and Public Folders included, access from POP3 clients is not allowed, etc. E-mail tools, rules, and alerts; descriptions and official formats of E-mail based announcements that may originate from the E-mail Administration team (to prevent users being SPAMMED or compromised by social engineering exploits). Because there are known social engineering techniques that SPAM users in the form of ‘Administrator Requests’ to end users, it may be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them. Legal issues; what constitutes harassment, threats, or inappropriate language. E-mail Administration processes; how to add, remove, and manage the e-mail user population, report problems or abuse, compromise. Constraints; Mailbox, message, and attachment size limitations. Policies; Data retention, type of servers, server uptime and maintenance schedules Penalties for violating E-mail Acceptable Use Policy Schedule for Periodic review, format for signoff
Fix
Revise or supplement the E-mail Acceptable Use Policy so that it contains the required elements.
Rating Info
DISA Cat III. NIST impact 2.
Expert Comment
None