IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.119 Regulations concerning the use of e-mail
services
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: IT-user
If data are to be exchanged electronically between two or more
communications partners, they must observe the following guidelines to
ensure proper exchange:
- E-mails must bear unique addresses to prevent dispatch to the wrong party.
Within an organisation, address books and distribution lists should be
maintained to ensure that the most commonly used addresses are always
correct. Test messages should be sent to newly configured e-mail addresses
in order to ensure that the data is transferred correctly.
- If e-mail is sent to several recipients, the "CC" option should not be used as
every recipient can then see who else has received the message. Instead,
distribution lists or the "BCC" option should be used. BCC stands for blind
carbon copy and recipients entered here are not told who else has received
the message.
- All e-mails sent to external locations must be appended with a signature
file containing the complete sender address.
- The subject of communication must always be indicated, similar to the
mention of subjects in written correspondence.
- Data transmissions which have been completed should be checked for
correctness. The recipient should check whether data have been received
properly, and issue a confirmation to the transmitting party.
- A memory-resident virus scanner should be employed for incoming and
outgoing files. Prior to their dispatch, outgoing files should be checked
explicitly for computer viruses.
- If a file has been attached to an e-mail, the following information should
also be submitted to the recipient:
- The type of file (e.g. Word Perfect 5.0),
- A brief description of the file contents
- A note that the file has been scanned for computer viruses
- If applicable, the type of compression program (e.g. PKZIP)
- If applicable, the type of encryption software or digital signature
The following items should not be indicated:
- Passwords allocated to classified information
- Keys used for encrypting information
In the case of most e-mail systems, information is sent in unencrypted form
via open lines, and might be stored on a number of computers until it reaches
the recipient. The information can be easily manipulated during its journey. In
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000