Email Standards Overview
All campus E-mail service provides must meet the following minimum standards. E-mail service providers are defined as systems that both send and receive e-mails and support business or individual users accounts.
- Installation and operation of an e-mail system must be approved by the Information Security Office.
- The system owner is responsible for ensuring that the requirements of these standards are met.
- The department or unit responsible for the e-mail system shall bear the costs of ensuring compliance with this standard.
- One or more support person(s) must be identified. Current and accurate contact information for the support person must be maintained and communicated to the Information Security Office.
- The support person(s) must be appropriately classified and demonstrate appropriate knowledge of the e-mail system.
- The system owner and support person(s) must ensure that all security patches for the operating system, application and database are evaluated and applied on a timely basis.
- The support person(s) will implement a well defined host based firewall. Firewall configuration must be provided to the Information Security Office for review.
- Secure POP and secure IMAP are the preferred protocols. A business case must be made to support insecure protocols and provide to the Information Security Office.
- Message relaying must be disabled or property configures to only relay from know good sources.
- Remote management must be restricted to authorized support person(s) and use strong authentication over an encrypted and secured connection.
- The equipment must be housed in a physically secured location with a climate controlled environment and protected power. The location access must be auditable.
- All user access must be authenticated to use e-mail resources.
- Remove or disable all ‘anonymous’ and ‘guest’ accounts.
- Backup media should be treated as confidential and private. It must always be stored and handled securely. Backup media should be encrypted using a generally accepted strong industry cipher.
Monitoring / Compliance
- Security event logging must be enabled and security log files retained for one year.
- A schedule and procedures must be created to log review.
- E-mail systems must be reviewed annually for compliance to this standard.
- System owners must complete and present a self-assessment to the Information Security Office annually.
- System owners must document non-compliant systems issues, plans and timeline to remediate the issues.
- Procedures for e-mail usage, administration, ownership and maintenance.
- Documentation of all security measures (corrective, detective and preventative) regarding malicious software (viruses, Trojan horses, spam filtering) at the sever level.
Email Standards Summary
Individual email systems vary in technology and message handling. Each PROGRAM CENTER administrator should educate their users about how the email system functions, where and how messages are retained and for how long. As the idiosyncrasies of the system retention policy for each PROGRAM CENTER system/department very it is the responsibility of each PROGRAM CENTER/department to document data retention policies incase of audits and or litigation.
An example of documentation that should be available, users should know that deleted files are maintained on a hard drive or in the email server until a positive action (either manual or automated) that deletes them occurs. The same may be true for sent files. Users should also know what is stored on PDA’s, cell phones (text messages) etc. Users should also understand that once a message is sent to recipients, the sender generally loses complete control of the dissemination and retention of the message.