Item | Value |
Organization | Information Dynamics |
Document Name | Email Security Policy |
Classification | Internal |
Compliance Reference | ISO 27001:2013 |
Date | Version | Prepared By |
29th Dec, 2019 | 1.0 | First Version |
24th Dec, 2020 | 1.1 | Annual review |
24th Dec, 2021 | 1.2 | Annual review |
26th Aug, 2022 | 1.3 | Annual review |
Reviewed By | Version | Date | Signature |
Soundarrajan | 1.0 | 29-Dec-2019 | |
Soundarrajan | 1.1 | 26-Dec-2020 | |
Soundarrajan | 1.2 | 26-Dec-2021 | |
Soundarrajan | 1.3 | 26-Aug-2022 |
Purpose
The purpose of this policy is to define guidelines and controls to minimize the risks of misuse associated with Information Dynamics’ corporate email services.
ISO 27001:2013 Domain Reference: A.13.2.3 – Electronic Messaging
Scope
The scope of the policy will be applicable to all activities under the scope statement of Information Dynamics.
Policy
Each employee is responsible for the contents of his / her e-mail. All e-mails must be identified with a user’s name or e-mail Id to allow for individual tracking.
Access to emails shall be duly authorized by the respective Department Head.
All email IDs in Information Dynamics’ shall follow the convention
<firstnamelastname@infodynamic.net>.(Based on the location, India -.in.infodynamic.net)
Email signature for ID shall be standardized.
Passwords shall not be shared with other people and shall be changed as per the domain policy.
Individuals accessing the e-mail services of Information Dynamics’ must not use or access an e- mail account assigned to another individual to either send or receive messages without consent. A written approval from the Department Head must be obtained in case a user’s e-mail needs to be accessed in his / her absence.
Web access of email from untrusted public computers such as public internet café, public wireless access services or any untrusted computers is not recommended. However, in case of such access, users shall never save user ID and password on the computers while accessing the emails.
Users shall not enable the “save password” check box when accessing Outlook Web Access from a public internet environment.
Attachments from unknown or untrusted sources shall not be opened. All email attachments, regardless of the source or content, shall be auto scanned for viruses and other destructive programs before being opened or stored on any Information Dynamics’ computer system. All malicious emails and attachments shall be deleted permanently.
Following are the guidelines for sending attachments:
Sending personal attachments is restricted.
Sharing video files which consume high bandwidth causing business interruptions should be avoided.
Only business-related attachments should be sent through compressed form to limit bandwidth utilization.
Any statements or comments made via email shall bear a disclaimer.
Distribution groups with permissions to receive outside emails should be kept at a minimum.
Email accounts shall be disabled immediately on user leaving the company and emails are archived for 6 months. In case the email account needs to be kept active on user exiting the company, accounts will be made active for a specified duration upon request from the Head of the former user’s Department.
Email forwarding will be made available for a specified period upon request from Head of the Department once the user leaves the company.
In the event of any detection of viruses, the e-mail message will be deleted from the system and an auto-generated warning message will inform the recipient or sender of the detected virus along with the action taken;
The file extensions below shall not be permitted through the system. These types of files shall be removed from the messages and sender/receiver shall be notified of their removal:
bas - BASIC program;
vbs - Visual Basic program;
vbe - Visual Basic related;
vba - VBase File;
All executable files;
bat - Batch Processing (Microsoft);
All compressed files
The guidelines for email archiving are as follows:
Set to archive items that are older than 60 days.
All emails larger than 2MB are automatically archived for 4 weeks.
All archived emails are instantly accessible through Outlook and OWA.
Since archiving consumes more storage based on the number of items, user must clean up unwanted attachment and personal items on regular basis.
1. Information Dynamics’ employees must treat e-mail messages and files as confidential information. E-mail must be handled as a confidential and direct communication between a sender and a recipient.
All messages sent by employees by e-mail are the records of Information Dynamics’. At any time and without prior notice, Information Dynamics’ reserves the right to examine e-mail, personal file directories, and other information stored on Information Dynamics’ computers and servers. E- mail messages may be monitored for any of the following reasons:
Ensuring internal policy compliance
To support internal investigations for suspected criminal activity
Information Dynamics’ may also disclose e-mail messages sent or received to law enforcement officials without prior notice to the employees who may have sent or received such messages.
Access to mail boxes for the above-mentioned reasons must be explicitly authorized by the Management.
Information Dynamics’ IT Department will ensure backup of e-mail messages.
1. Information Dynamics’ Systems should not be used to transmit or receive trade secrets, copyrighted materials, or proprietary information unless it is digitally signed and encrypted and approved by the management.
E-mail systems must be used primarily for business purposes only.
When a user receives e-mail error messages that appear to be abnormal, they will be saved and reported to the IT Support immediately.
Each user shall take precautions to prevent unauthorized use of the E-Mail account.
1. Destruction of both the logs and referenced e-mail messages must be postponed whenever a legal notice is received. Such destruction must also be postponed if the material might be required for an imminent legal action.
Information Dynamics’ forbids the use of profane, Obscene or derogatory remarks in e-mail messages.
Users must not create or forward externally provided e-mail messages which may be considered to be harassment or which may contribute to a hostile work environment. Users must not use profanity, obscenities, or derogatory remarks in e-mail messages discussing employees, customers, or competitors. Such remarks -- even when made in jest -- may create legal problems such as trade libel and defamation of character. Among other things, a hostile work environment may also be created when derogatory comments about a certain sex, race, religion, political beliefs or disability are circulated. Liability for such e-mails will be on the concerned employees only and Information Dynamics’do not take any responsibility of them.
1. Employees may either communicate with the originator of the offensive e-mails, asking him / her to stop sending such messages, or report such offensive e-mails directly to IT Support.
Information Dynamics’ users shall not provide their official email IDs in any of the public domains or in the Internet which has the potential to increase junk emails, email spams etc.
Users should not use their official email ID to subscribe to news groups that generates heavy amount of mail traffic unless authorized by the Head of Department.
Users shall not use the email IDs while creating their personal internet profiles or email accounts. This may increase spamming and unauthorized access of Information Dynamics ‘email accounts.
Information Dynamics’ employees, personnel, or third-party contractors using Email Services shall not modify the security parameters within Information Dynamics’ e-mail system. Users making unauthorized changes to the e-mail security parameters are in violation of this policy.
Users shall not execute or install any programs, upgrades or patches that are received via e-mail or downloaded from the Internet.