World Agroforestry Centre Policy Series MG/C/7/2009 ILRI Policy Series Email Management and Security Policy One of the policies on information security and business continuity which will be audited by the CGIAR Internal Audit Unit for all Centres given (a) their network inter-linkage through Active Directory and (b) the inter-reliance of many Centres for information backup and recovery of hosted outreach sites. Document Revision History Ver Date Author(s) Revision Notes sion 1.0 29/10/2009 Ian Moore Final draft circulated to staff 1.1 03/12/2009 Ian Moore Revised following SLT guidance Information Security – Email Management and Security Policy 1 Document Control The ICT Manager of the common services unit providing ICT Services to the World Agroforestry Centre and ILRI will maintain control of the document which will be reviewed every two years in conjunction with the ICT Steering Group. Proposed updates will be presented to the Centres’ senior management for adoption according to their organizational arrangements for approval of ICT policies. Upon acceptance by the Centres, the update will come into force. Any discretionary controls added by a Centre may be reviewed annually; however updates may occur more frequently if deemed necessary. Purpose The purpose of this document is to communicate the Centre’s policy on managing email security. Whilst the use of email as a medium of communication has become ubiquitous, it is inherently an insecure form of communication. E-mails can be easily intercepted and read by those determined to know their content, used to obtain sensitive information through phishing techniques, used to distribute viruses and malware and systems swamped by unsolicited mail. For this reason, it is imperative that sensitive information is not sent or received via e-mail by staff within the Centres unless potential security threats are mitigated by following the policy. Scope This document covers controls that should be adopted in using the Centre’s Email system, retention of information and its administration by the common service unit for ICT. Use of email and privacy issues concerning monitoring and archiving of email is covered by the ICT Privacy and Acceptable use policy. Some of the specific risks that may eventuate if email usage and security is not managed properly include: • Unauthorised information disclosure – The use of e-mail within the Centres introduces the risk of both accidental and malicious information disclosure through: • Mismanaged e-mail recipient lists that result in the unintended delivery of e-mails to certain 3rd parties; • Eavesdropping attacks in which a fraudulent party is able to intercept and examine the contents of e-mails containing sensitive information; or • Deliberate or accidental forwarding by staff of sensitive information such as research- in-progress, and private, personal, or financial data. • Viruses and unrestricted active content – Infection and the propagation of a virus, worm or other form of malicious software via e-mail may compromise the confidentiality of data stored, processed or transmitted on computers located within the Centres, and may lead to further infections within the Centres ICT networks. Information Security – Email Management and Security Policy 2 • Loss of network availability - The availability of the Centres’ networks can be impaired if unauthorised broadcast messages or self-propagating messages are sent or received, such as though e-mail bombing or spam. • Legal liability – The Centres may be legally liable if staff send inappropriate, misleading or incorrect information using e-mail. This policy applies to all permanent and temporary staff within the Centre as well as contractors and visitors who work and/or visit the Centre who have a stake in any changes occurring in the Centre’s ICT Service environment. Implementing this policy is an important component of ensuring that potential threats to the overall ICT security position of the Centre are managed effectively. This is particularly the case given the shared CGIAR electronic network, which has created inter-dependency among Centres with respect to network security. 1. Administration of Email Accounts 1.1. Anyone with a contract to work for the Centre, (permanent, temporary, consultant, student etc) is entitled to an email account in the Centre’s email system. 1.2. Anyone who has a contract to work for an organisation hosted by the Centre and whose duty station is at one of the Centres principal offices is entitled to an email account in the Centre’s email system. 1.3. Where a clear business benefit exists, an email account will be created for a partner following a written request by the Manager responsible for the partner. The Manager will be responsible for ensuring that the partner complies with all email related policies and procedures of the Centre. Access will be limited to a period not exceeding six (6) months. 1.4. Where a clear business benefit exists, the creation and use of a specifically named Email account (e.g. HR Recruitment) may be used. The manager that requested the creation of the Email account takes responsibility for all actions performed using the email account. 1.5. For regional staff that have difficulty accessing the Centre’s email system due to limited bandwidth, an email account can be assigned on the CGXchange Google Apps system that will be linked to a User ID in the Centre’s Active Directory. 1.6. Before an email account is created the user should be made aware of, and should accept as a condition of mail use all email related policies and procedures of the Centre. 1.7. Users are responsible and accountable for all actions performed using their email account. The core principle is that security is everyone’s responsibility and everyone has a responsibility to protect their own “identity” on the Centre computer systems. 1.8. Users should only use software and systems for accessing email services that have been approved for use by the Centre. Information Security – Email Management and Security Policy 3 1.9. It is recommended that messages sent to email accounts in the system should not be automatically forwarded to any untrusted email addresses. 1.10. In exception cases forwarding of mail will be implemented using a pass-thru contact that does not require the user to have a User ID or mailbox on the Centre’s Active Directory. 1.11. Email accounts will be disabled immediately the user leaves the Centre. Content from the mailbox will be archived and the mailbox deleted within 60 days of the mailbox being disabled. Where a business benefit exists a Senior Manager can request to extend the use of a mailbox for a period not exceeding six (6) months. 2. Email Privacy and Monitoring This section compliments the policy statements on privacy and acceptable use of email described in the ICT Privacy and Acceptable Use Policy. 2.1. The Centre reserves the right to record, store and inspect all email communications and logs of such communications. 2.2. All email account users should be notified about the monitoring controls and practices that are in place to: • monitor performance • ensure compliance with the policies of the Centre • comply with legal and regulatory requests for information • detect and prevent misuse of the email systems • troubleshoot hardware and software problems • investigate disclosure of confidential research, proprietary information, or conduct that may be illegal or adversely affect the Centre or its associates. 2.3. ICT may examine or disclose information only under the following conditions: • The ICT manager is allowed to perform the investigation, but only with the approval of the Director General and the Director/Head of Human Resources or two senior managers delegated to act for them in their absence. Another member of the ICT staff can only be delegated to carry out the task if they have also received the same level of approval. • The person concerned must be informed, unless the inspection relates to a criminal or potentially criminal matter. • Each task carried out should be documented to allow the investigation process to be reconstructed if required. Wherever possible this should be done through a system- enforced audit trail. 2.4. Every message that passes through the email systems is scanned to check for computer viruses, worms, or other executable items that could pose a threat to the security of the Centre’s network and data. Infected email messages should not be delivered to the user. Information Security – Email Management and Security Policy 4 2.5. Every email message that passes through the email systems is scanned to check its contents based on predetermined criteria, such as the following: • Unsolicited messages (Spam) • Bad SMTP headers • Invalidated source IP addresses • Bad domain names • Attachments containing inappropriate or malicious material (including viruses, worms and Trojans). If the message does not pass the criteria, the message should not be delivered to the user and the system administrator should receive an automatic alert. 2.6. Email servers should be configured in a manner that minimises the chances of centre email addresses being added to email blacklists. The following controls should be implemented to support this requirement: • Ensure that the identity of each Centre mail server within the internal infrastructure correctly identifies itself to other connecting mail servers. • Ensure that Centre emails cannot be relayed externally. • Ensure that systems and workstations are and remain malware free. 3. Mobile device emails 3.1. Mobile devices such as laptops, smart phones, PDAs and other devices can be utilised for email. While these devices are convenient, mobile email users should be made aware that the risk of messages being intercepted is high, especially in situations where the security of a mobile devices’ network connection is unknown (for example, public wireless networks or Internet cafes). 4. Encryption of emails 4.1. Email is an inherently insecure form of communicating information. It is recommended that highly confidential information should not be sent by email to external parties. ICT can assist to encrypt messages containing highly confidential information that have to be sent by email. 4.2. Access to the email system through a web browser should be over a secure connection (SSL). 4.3. Access to the email system when off campus should be through one of the following methods: • From a notebook computer configured to use RPC over https. • From a web browser over a secure SSL connection. • From a mobile device using ActiveSync or through the Blackberry Enterprise server. Information Security – Email Management and Security Policy 5 • Connection to the email server using any other protocol (such as IMAP) requires encryption via SSL. 5. Related Documentation 5.1. ICT Privacy and Acceptable Use Policy 5.2. Network Infrastructure Security Policy 5.3. Workstation Security Policy 5.4. Email good etiquette guidelines 5.5. Document Management Policy 6. Compliance and Waivers 6.1. Compliance with this policy by users, network administrators, or others responsible for implementation of the policy, is mandatory. Procedures are in place to monitor compliance with this policy. 6.2. Violations of this policy may result in disciplinary action in accordance with the human resources policies of the Centre. 6.3. Requests for waivers of this policy shall be formally submitted to a Senior Manager. The requests shall set out the justification, duration of the proposed waiver and how the increased risk arising from the waiver will be managed. Requests will be approved by the Senior Manager of the person making the request, in consultation with the ICT Manager and will be documented in the form of a management letter. 6.4. Approved waivers shall be monitored to ensure that the conditions of the waivers are being observed. Definitions • Domain names: Refers to a name (for example, test.com) that is used to represent an IP address or a set of IP addresses. • Email: The electronic transmission of information through a mail protocol such as Simple Mail Transport Protocol (SMTP). Emails can be sent in either HTML or plain-text format. • Email systems: The network components and the software that allow transmission of electronic messages. These include the email server, the gateways, routers, as well as client email applications. • Encryption: Refers to the process of encoding emails using a specific algorithm to ensure the contents is unreadable to everyone except the sender and intended recipient of the message. Email encryption is often achieved using public/private key cryptography through software such as PGP (Pretty Good Privacy). Information Security – Email Management and Security Policy 6 • Hypertext Transfer Protocol Secure (HTTPS): Is a combination of the Http protocol and the SSL/TLS protocol that provides encryption for secure transfer of information over the internet. • Mailing list: Refers to a list of email addresses identified by a single email address. When an e-mail message is sent to the mailing list email address, it is automatically forwarded to all the addresses in the list. • Phishing: Attempts to obtain sensitive information from people, usually by requesting usernames and passwords or by installing malware on the computer. The information can then be used to obtain advantages using identity theft or username and passwords. • Remote Procedure Call (RPC): A technology that allows a computer program to cause a part of the program (subroutine) to run in a different location usually on another computer or server without the code being explicitly written for the remote interaction. • Sensitive Information: Information assets classified as restricted, confidential or for internal use. • Secure Sockets Layer (SSL): SSL provides a method of authenticating the communicating parties (client and server authentication) and encrypting the information exchange between those parties. SSL is supported by most web browsers and web servers. • Signature: Email signatures can refer to one of two concepts: firstly, the generation of a hash of a message that uniquely identifies the sender of the message and proves to the recipient that the message has not been altered during transmission. It can also refer to the consistent addition of certain information to the text of all email messages, such as names, addresses, and phone numbers. • SMTP headers: SMTP (Simple Mail Transfer Protocol) is used to send email messages on the Internet between servers and from a mail client to a mail server. The SMTP header refers to text automatically inserted at the beginning of an email message by client mail programs and added to by all the mail servers en route to the destination. Each node adds more text, including from/to addresses, subject, content type, time stamp and identification data, which allows the path of the message from source to destination to be tracked. • Spam: The sending of unsolicited emails, often advertising a product or service or containing malicious file attachments. Spam emails are often sent in bulk to a large number of email addresses that may be harvested using a variety of techniques. • Viruses: An unauthorized program that replicates itself, attaches itself to other programs and spreads onto various data storage media or across the network. The symptoms of virus infection include much slower computer response time, inexplicable loss of files, changed modification data for files, increased file sizes, and a possible total failure of the infected computer. • Senior Manager: The person on the Centre’s management committee (MC/SLT) who has responsibility for the person making the request. Information Security – Email Management and Security Policy 7