IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.118 Determination of a security policy for the use
of e-mail
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Before e-mail systems can be approved for use, their intended purpose must
be determined. This purpose, in turn, shapes requirements concerning the
confidentiality, availability, integrity and non-repudiation of the data to be
transmitted as well as the e-mail program to be employed. Clarification is
required as to whether e-mail is to be used exclusively for the transmission of
non-binding and informal information, or whether some or all of the business
transactions processed previously in writing are now to be carried out via email.
If the latter is true, clarification is required as to how previously handwritten
remarks concerning procedures and orders, signatures and initials
should now be placed electronically.
The institution must specify a security policy which describes the following
items:
- The persons who are to receive e-mail connections
- The rules to be observed by e-mail administrators and e-mail users
- The degree of confidentiality and integrity up to which information may be
dispatched via e-mail
- The manuals which need to be procured
- How users should be trained
- How to ensure a constant availability of technical assistance for users
Organisational rules and technical measures are required to meet, in particular,
the following conditions for the proper transfer of files:
- E-mail programs intended for users should be pre-configured by the
administrator so as to automatically achieve the highest possible level of
security for the users (also refer to S 5.57 Secure Configuration of Mail
Clients).
- Data should only be transferred following successful identification and
authentication of the sender by the transmission system.
- Before making use of e-mail services for the first time, users must be
briefed on how to handle the related applications. Users must be familiar
with internal organisational rules concerning file transfer.
- To identify the sender of an e-mail, a signature is appended to the end of
the e-mail. The contents of this signature should resemble those of a
letterhead, i.e. include the user name, organisation name, telephone number
etc. A signature should not be too large, as this would take up unnecessary
transmission time and storage space. The agency / company should
determine a standard for signature design.
- The security mechanisms in use determine the degree of confidentiality and
integrity up to which files may be sent via e-mail. Clarification is required
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000