Welcome to the tenth issue of ISO17799 News, designed to keep you abreast of developments and news with respect to ISO 17799 and information security. The information within the newsletter is totally free to subscribers and provides guidance on various practical issues, as well as commentary on recent Information Security incidents.
Included in this edition are the following topics:
INTRODUCING AN EFFECTIVE EMAIL SECURITY POLICY
Email security breach is becoming an increasingly significant threat to organizations around the world. To counter this, most organizations will already have a firewall and anti-virus software in place. Hopefully, as new viruses are found daily, they have made sure that their virus protection is also updated on a daily basis.
Viruses, of course, can sometimes penetrate the firewall by hiding within emails. Once opened, the virus can spread and cause significant damage to internal systems. The virus may not always be serious enough to cause permanent damage but, even with moribund viruses, the disruption may well take time and money to rectify.
Despite these risks, there is no escaping the fact that e-mail is rapidly becoming the principal means of business communication. Draconian restrictions on use are therefore not tenable. However, rigid application of stringent security policy certainly is.
The following high level best practice statements should be adhered to as a basic minimum (extracted from http://www.information-security-policies.com):
- Personnel should understand the rights granted to them by the organization in respect of privacy in personal e-mail transmitted across the organization’s systems and networks. Human Resources Department should incorporate a suitable wording into employee contracts to ensure that this privacy issue is fully understood.
- Personnel should not open emails or attached files without ensuring that the content appears to be genuine. If you are not expecting to receive the message or are not absolutely certain about its source, do not open it.
- Confidential and sensitive information should not be transmitted by e-mail - unless it is secured through encryption or other secure means.
- Personnel should be familiar with general e-mail good practice e.g. the need to save, store and file e-mail with business content in a similar manner to the storage of letters and other traditional mail. E-mails of little or no organizational value should on the other hand be regularly purged or deleted from your system.
From these, it is recommended that more specific corporate requirements are produced and implemented.