E-Mail Use Policy E-Mail Use Policy
By: Joe NarvaezBy: Joe Narvaez
OverviewOverview
The PolicyThe Policy
The Threat of:The Threat of: Information leaksInformation leaks Malicious or offensive content Malicious or offensive content Virus attacksVirus attacks SpamSpam
PreventionPrevention
The Policy The Policy (Offered by SANS)(Offered by SANS)
Prohibited UseProhibited Use• The Companies email system should not be used for the The Companies email system should not be used for the
creation or distribution of any disruptive or offensive creation or distribution of any disruptive or offensive messages, including offensive comments about race, messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs, political beliefs, Or pornography, religious beliefs, political beliefs, Or national origin.national origin.
Personal UsePersonal Use • Non work related email should be saved in a separate Non work related email should be saved in a separate
folder from work related mail. Sending chain letters or folder from work related mail. Sending chain letters or joke emails from a company email account is prohibited.joke emails from a company email account is prohibited.
The Policy The Policy
MonitoringMonitoring• Company employees should have no exceptions of Company employees should have no exceptions of
privacy in anything they store, send, or receive on the privacy in anything they store, send, or receive on the company’s email system. The Company may monitor company’s email system. The Company may monitor
messages without prior notice.messages without prior notice.
Enforcement Enforcement • Any Employee found to have violated this policy may be Any Employee found to have violated this policy may be
subject to disciplinary action, up to and including subject to disciplinary action, up to and including
termination of employment.termination of employment.
The Threat of. . . The Threat of. . . Information LeaksInformation Leaks
• Organizations often fail to acknowledge that there Organizations often fail to acknowledge that there is a greater risk of crucial data being stolen from is a greater risk of crucial data being stolen from within the company rather than from outside.within the company rather than from outside.
• Various studies have shown how employees use e-Various studies have shown how employees use e-mail to send out confidential corporate information. mail to send out confidential corporate information. Be it because they are disgruntled, revengeful, or Be it because they are disgruntled, revengeful, or because they fail to realize the potentially harmful because they fail to realize the potentially harmful impact of such a practice impact of such a practice
30% of 800 employees surveyed admitted that they 30% of 800 employees surveyed admitted that they had sent confidential informationhad sent confidential information
Ten percent admitted receiving e-mail containing Ten percent admitted receiving e-mail containing confidential information.confidential information.
The Threat of. . .The Threat of. . . Information InterceptionInformation Interception
• Unsecured e-mail can fall prey to malicious Unsecured e-mail can fall prey to malicious software tools such as sniffers, which automatically software tools such as sniffers, which automatically lie in wait for interesting information relayed lie in wait for interesting information relayed through their system as e-mails are transferred through their system as e-mails are transferred from sender to recipient. from sender to recipient.
• Unknown to e-mail senders, sniffers are placed in Unknown to e-mail senders, sniffers are placed in the path of all e-mail messages going through a the path of all e-mail messages going through a
computer.computer. • When analyzing email message we can get lot of When analyzing email message we can get lot of
information about its sender. Such as information about its sender. Such as IP address, IP address, geographic location, time zone, language geographic location, time zone, language preferences, computer LAN name, email preferences, computer LAN name, email software used.software used.
The Threat of. . .The Threat of. . . Malicious or Offensive ContentMalicious or Offensive Content
• It is important for employees to recognize that often It is important for employees to recognize that often times the email that they send is making a first times the email that they send is making a first impression to the receiver, representing their companyimpression to the receiver, representing their company
• E-mails sent by staff containing racist, sexist or other E-mails sent by staff containing racist, sexist or other offensive material could prove very troublesome, not to offensive material could prove very troublesome, not to mention embarrassing – and expensive!mention embarrassing – and expensive!
Antitrust case against Microsoft Corp.Antitrust case against Microsoft Corp. Chevron had to pay $2.2 million to settle a lawsuit Chevron had to pay $2.2 million to settle a lawsuit
resulting from an e-mail message bearing sexist resulting from an e-mail message bearing sexist contents.contents.
• Offensive e-mails can cause considerable damage to the Offensive e-mails can cause considerable damage to the work environment simply by generating an unpleasant, work environment simply by generating an unpleasant, hostile or unprofessional atmosphere.hostile or unprofessional atmosphere.
The Threat of. . .The Threat of. . . VirusesViruses
• Viruses are a major e-mail security hazard that Viruses are a major e-mail security hazard that companies simply cannot afford to ignore. Over 15,000 companies simply cannot afford to ignore. Over 15,000 different computer viruses exist to date and some 500 different computer viruses exist to date and some 500 new ones are created each month. new ones are created each month.
• The extent of the problem is so great that today many The extent of the problem is so great that today many companies have even begun to prohibit the use of e-companies have even begun to prohibit the use of e-mail attachments, as this is where viruses are often mail attachments, as this is where viruses are often
embedded.embedded.
• An infected PC may not crash immediately. The virus An infected PC may not crash immediately. The virus may first raid your email address book and email itself to may first raid your email address book and email itself to
everyone it can. And everyone it can. And then then destroys your data.destroys your data.
The Threat of. . . The Threat of. . . SpamSpam
• A recent survey shows that about 90 per cent of e-mail A recent survey shows that about 90 per cent of e-mail users receive spam – or unsolicited commercial mail – at users receive spam – or unsolicited commercial mail – at least once a week.least once a week.
• As well as consuming bandwidth and slowing down e-As well as consuming bandwidth and slowing down e-mail systems, spam is a frustrating time-waster, forcing mail systems, spam is a frustrating time-waster, forcing employees to sift through and delete mounds of junk employees to sift through and delete mounds of junk mail (loss of productivity).mail (loss of productivity).
• Spammers can use a corporate mail server to send out Spammers can use a corporate mail server to send out their unsolicited messages, often bringing trouble upon their unsolicited messages, often bringing trouble upon the unknowing organization.the unknowing organization.
Prevention Prevention
Information LeaksInformation Leaks• A content checking tool is a must to prevent users from A content checking tool is a must to prevent users from
sending out confidential or sensitive corporate sending out confidential or sensitive corporate information via email. This tool automatically scans the information via email. This tool automatically scans the
contents of each message being mailed.contents of each message being mailed. Information InterceptionInformation Interception
• Use encryption to protect your email messages.Use encryption to protect your email messages. PGP and S\MIME encryptionPGP and S\MIME encryption (used to encrypt (used to encrypt
message body message body only)only)
SSL encryption SSL encryption (encrypts email traffic in the (encrypts email traffic in the whole) whole)
• Use Network Intrusion Detection SoftwareUse Network Intrusion Detection Software
Prevention Prevention
Malicious or Offensive ContentMalicious or Offensive Content • Likewise, a content screening tool is necessary to Likewise, a content screening tool is necessary to
prevent corporate users from sending or receiving prevent corporate users from sending or receiving
malicious, offensive, or inappropriate emails.malicious, offensive, or inappropriate emails.
• To reinforce this preventive approach, companies To reinforce this preventive approach, companies should invest in a tool that automatically adds a should invest in a tool that automatically adds a legal disclaimer to the end of every message sent legal disclaimer to the end of every message sent out by the organization.out by the organization.
Prevention Prevention VirusesViruses
• Obtain A reliable virus scanner that screens all incoming Obtain A reliable virus scanner that screens all incoming and outbound messages and attachments for e-mail and outbound messages and attachments for e-mail viruses and worms.viruses and worms.
• Open attachments as well as emails with precaution Open attachments as well as emails with precaution Look out for:Look out for:
Email addresses you don't recognizeEmail addresses you don't recognize The subject contains The subject contains hook lineshook lines like "Hi! Here's the like "Hi! Here's the
document you wanted" or "Can you check this for document you wanted" or "Can you check this for me?"me?"
The text body of the message is extremely short, but The text body of the message is extremely short, but the message size is very large (between 100KB and the message size is very large (between 100KB and 500KB);500KB);
Executable attachments (.exe, .com, .vob)Executable attachments (.exe, .com, .vob)
Prevention Prevention
SpamSpam• Use an efficient anti-spam tool that will pick up words Use an efficient anti-spam tool that will pick up words
and phrases that usually appear in unsolicited and phrases that usually appear in unsolicited commercial e-mails and block the unwanted message commercial e-mails and block the unwanted message from entering the system. from entering the system.
• Also effective against spam is a quarantining feature Also effective against spam is a quarantining feature that deters e-mail messages with “spammy” content that deters e-mail messages with “spammy” content from going through, storing the spam in a special from going through, storing the spam in a special locationlocation
Top Related