Email Security Policy Page 1
Email Security Policy
Document Summary
Information Dynamics
Document Name
Email Security Policy
Compliance Reference
ISO 27001:2013
Document Revision History
Prepared By
29th Dec, 2019
First Version
Dec, 2020
Annual review
Dec, 2021
Annual review
Document Review History
Reviewed By
Email Security Policy Page 2
1. Purpose
The purpose of this policy is to define guidelines and controls to minimize the risks of misuse associated
with Information Dynamicscorporate email services.
ISO 27001:2013 Domain Reference: A.13.2.3 Electronic Messaging
2. Scope
The scope of the policy will be applicable to all activities under the scope statement of Information
3. Policy
3.1. General Policy Statements
1. Each employee is responsible for the contents of his / her e-mail. All e-mails must be identified
with a user’s name or e-mail Id to allow for individual tracking.
2. Access to emails shall be duly authorized by the respective Department Head.
3. All email IDs in Information Dynamics’ shall follow the convention
<>.(Based on the location, India
4. Email signature for ID shall be standardized.
5. Passwords shall not be shared with other people and shall be changed as per the domain policy.
6. Individuals accessing the e-mail services of Information Dynamics’ must not use or access an e-
mail account assigned to another individual to either send or receive messages without consent.
A written approval from the Department Head must be obtained in case a user’s e-mail needs to
be accessed in his / her absence.
7. Web access of email from untrusted public computers such as public internet café, public wireless
access services or any untrusted computers is not recommended. However, in case of such access,
users shall never save user ID and password on the computers while accessing the emails.
8. Users shall not enable the “save password” check box when accessing Outlook Web Access from
a public internet environment.
9. Attachments from unknown or untrusted sources shall not be opened. All email attachments,
regardless of the source or content, shall be auto scanned for viruses and other destructive
programs before being opened or stored on any Information Dynamics computer system. All
malicious emails and attachments shall be deleted permanently.
10. Following are the guidelines for sending attachments:
Email Security Policy Page 3
i. Sending personal attachments is restricted.
ii. Sharing video files which consume high bandwidth causing business interruptions should
be avoided.
iii. Only business-related attachments should be sent through compressed form to limit
bandwidth utilization.
11. Any statements or comments made via email shall bear a disclaimer.
12. Distribution groups with permissions to receive outside emails should be kept at a minimum.
13. Email accounts shall be disabled immediately on user leaving the company and emails are
archived for 6 months. In case the email account needs to be kept active on user exiting the
company, accounts will be made active for a specified duration upon request from the Head of the
former user’s Department.
14. Email forwarding will be made available for a specified period upon request from Head of the
Department once the user leaves the company.
15. In the event of any detection of viruses, the e-mail message will be deleted from the system and
an auto-generated warning message will inform the recipient or sender of the detected virus along
with the action taken;
16. The file extensions below shall not be permitted through the system. These types of files shall be
removed from the messages and sender/receiver shall be notified of their removal:
i. bas - BASIC program;
ii. vbs - Visual Basic program;
iii. vbe - Visual Basic related;
iv. vba - VBase File;
v. All executable files;
vi. bat - Batch Processing (Microsoft);
vii. All compressed files
17. The guidelines for email archiving are as follows:
i. Set to archive items that are older than 60 days.
ii. All emails larger than 2MB are automatically archived for 4 weeks.
iii. All archived emails are instantly accessible through Outlook and OWA.
18. Since archiving consumes more storage based on the number of items, user must clean up
unwanted attachment and personal items on regular basis.
3.2. Confidentiality of Information
Email Security Policy Page 4
3.2.1. Treatment of e-mail as Confidential Information
1. Information Dynamics employees must treat e-mail messages and files as confidential
information. E-mail must be handled as a confidential and direct communication between a
sender and a recipient.
3.2.2. Management Rights to review e-mail Content
1. All messages sent by employees by e-mail are the records of Information Dynamics’. At any time
and without prior notice, Information Dynamics’ reserves the right to examine e-mail, personal
file directories, and other information stored on Information Dynamics’ computers and servers. E-
mail messages may be monitored for any of the following reasons:
i. Ensuring internal policy compliance
ii. To support internal investigations for suspected criminal activity
2. Information Dynamics’ may also disclose e-mail messages sent or received to law enforcement
officials without prior notice to the employees who may have sent or received such messages.
3. Access to mail boxes for the above-mentioned reasons must be explicitly authorized by the
4. Information Dynamics’ IT Department will ensure backup of e-mail messages.
3.2.3. Transmission of Confidential Information via e-mail
1. Information Dynamics’ Systems should not be used to transmit or receive trade secrets,
copyrighted materials, or proprietary information unless it is digitally signed and encrypted and
approved by the management.
3.3. Usage of e-mail
3.3.1. Business Use Only
1. E-mail systems must be used primarily for business purposes only.
2. When a user receives e-mail error messages that appear to be abnormal, they will be saved and
reported to the IT Support immediately.
3. Each user shall take precautions to prevent unauthorized use of the E-Mail account.