Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
ISO27k Model Policy on Email Security

ISO27k Model Policy on Email Security

Ratings: (0)|Views: 132|Likes:
Published by vishnukesarwani

More info:

Published by: vishnukesarwani on Oct 31, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as RTF, PDF, TXT or read online from Scribd
See more
See less





NoticeBored information security awarenessEmail security policy
0100090000030202000002008a01000000008a01000026060f000a03574d46430100000000000100823f0000000001000000e802000000000000e8020000010000006c00000000000000000000002c00000071000000000000000000000075170000c902000020454d4600000100e80200000e00000002000000000000000000000000000000981200009e1a0000ca000000210100000000000000000000000000003e13030016670400160000000c000000180000000a00000010000000000000000000000009000000100000008d050000a7000000250000000c0000000e000080120000000c000000010000005200000070010000010000009cffffff000000000000000000000000900100000000000004400012540069006d006500730020004e0065007700200052006f006d0061006e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cb30093000000000040000000000ae30083109300000000067169001001002020603050405020304877a0020000000800800000000000000ff01000000000000540069006d00650073002000000065007700200052006f006d0061006e000000540069006d006500730020004e0065007700200052006f 006d0061006e000000a04811004c3eaf30b84811006476000800000000250000000c00000001000000180000000c00000000000002540000005400000000000000000000002c00000071000000010000005fcc874078b88740000000005a000000010000004c0000000400000000000000000000008b050000a9000000500000002000720f2d00000046000000280000001c0000004744494302000000ffffffffffffffff8e050000a8000000000000004600000014000000080000004744494303000000250000000c0000000e0000800e000000140000000000
Copyright © 2007, ISO27k implementers' forum
Page 1 of 6
Information security policy
Email security
Version 3 – DRAFT / FINAL DRAFT / APPROVEDOriginal author: Gary@IsecT.comModified by:
Policy approved by Date approved
[Insert senior manager/director’sname and job here][Insert approvaldate here]
Policy summary
This policy defines and distinguished acceptable/appropriate from unacceptable/inappropriate useof electronic mail (email).
This is a standard corporate policy that applies throughout the organization as part of the corporategovernance framework. It applies to all users of the corporate email systems.
Policy Detail
Email is perhaps the most important means of communication throughout the business world.Messages can be transferred quickly and conveniently across our internal network and globally viathe public Internet. However, there are risks associated with conducting business via email. Emailis not inherently secure, particularly outside our own internal network. Messages can beintercepted, stored, read, modified and forwarded to anyone, and sometimes go missing. Casualcomments may be misinterpreted and lead to contractual or other legal issues.
NoticeBored information security awarenessEmail security policy
Policy axioms (guiding principles)
A.Email users are responsible for avoiding practices that could compromise informationsecurity.B.Corporate email services are provided to serve operational and administrative purposes inconnection with the business. All emails processed by the corporate IT systems andnetworks are considered to be the organization’s property.
Detailed policy requirements
1.Do not use email:
To send confidential/sensitive information, particularly over the Internet, unless it is firstencrypted by an encryption system approved by Information Security;
To create, send, forward or store emails with messages or attachments that might beillegal or considered offensive by an ordinary member of the public
sexually explicit,racist, defamatory, abusive, obscene, derogatory, discriminatory, threatening, harassingor otherwise offensive;
To commit the organization to a third party for example through purchase or salescontracts, job offers or price quotations, unless your are explicitly authorized bymanagement to do so (principally staff within Procurement and HR). Do not interfere withor remove the standard corporate email disclaimer automatically appended to outboundemails;
For private or charity work unconnected with the organization’s legitimate business;
In ways that could be interpreted as representing or being official public statements onbehalf of the organization,
you are a spokesperson explicitly authorized bymanagement to make such statements;
To send a message from anyone else’s account or in their name (including the use of false ‘From:’ addresses). If authorized by the manager, a secretary may send email onthe manager’s behalf but should sign the email in their own name
 per pro
(‘for and onbehalf of’) the manager;
To send any disruptive, offensive, unethical, illegal or otherwise inappropriate matter,including offensive comments about race, gender, colour, disability, age, sexualorientation, pornography, terrorism, religious beliefs and practice, political beliefs or national origin, hyperlinks or other references to indecent or patently offensive websitesand similar materials, jokes, chain letters, virus warnings and hoaxes, charity requests,viruses or other malicious software;
For any other illegal, unethical or unauthorized purpose.2.Apply your professional discretion when using email, for example abiding by the generallyaccepted rules of email etiquette (see the
Email security guidelines
for more). Reviewemails carefully before sending, especially formal communications with external parties.3.Do not unnecessarily disclose potentially sensitive information in “out of office” messages.4.Emails on the corporate IT systems are automatically scanned for malicious software, spamand unencrypted proprietary or personal information. Unfortunately, the scanning processis not 100% effective (
. compressed and encrypted attachments may not be fullyscanned), therefore undesirable/unsavory emails are sometimes delivered to users. Deletesuch emails or report them as security incidents to IT Help/Service Desk in the normal way.5.Except when specifically authorized by management or where necessary for IT systemadministration purposes, employees must not intercept, divert, modify, delete, save or disclose emails.6.Limited personal use of the corporate email systems is permitted at the discretion of local
Copyright © 2007,ISO27k implementers' forum
Page 3 of 6

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->