IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
addition, senders of e-mail are in most cases able to freely enter the origin of
the e-mail (From:) so that their authenticity can only be verified through
double checking or the use of digital signatures. In case of doubt, the
authenticity of the sender should therefore be verified through a corresponding
check or - better still - through the use of encryption and/or digital signatures.
In principle, the authenticity of sender details should not be taken for granted.
E-mail systems should be checked several times daily to determine whether
new e-mails have arrived. Rules should be drawn up to govern the substitution
of users during their prolonged absence, for example, in order to forward
incoming e-mail to a stand-in.
As in most cases, it is not possible to ascertain which type of e-mail client is
used by a mail recipient and which software / operating systems are used on
the transmission route, users should be instructed to employ 7-bit ASCII
representation for mail bodies as well as attachments. Locally applicable
special characters such as mutated vowels and Greek symbols should therefore
not be included in the message text. In case of doubt, attachments should be
converted into 7-bit ASCII form using uuencode, for example.
All rules and instructions concerning the use of e-mail should be specified in
writing and remain constantly available to employees. An appropriate draft is
provided on the accompanying IT Baseline Protection Manual CD-ROM.
Personnel must be briefed before using communications services such as email
in order to avoid incorrect handling and ensure that internal
organisational guidelines are adhered to. In particular, users should be made
aware of possible threats and the related security measures to be observed
during the transmission and reception of e-mail.
To prevent overloading through e-mail, employees should be briefed about the
types of action which should be avoided in this context. They should be
warned against participation in electronic chain-letter mailings as well as
subscription to high volume mailing lists.
Users must be informed that files whose contents might cause offence should
not be dispatched to others, stored on information servers, or requested from
them. Furthermore, users should be instructed to observe the following rules
during the use of communications services:
- Negligent or even intentional interruption of operations in progress should
be avoided at all costs. Actions which should be avoided in particular
include unauthorised attempts to access network services regardless of
their nature, modification of information available via networks,
intervention in the operating environments of other network users, and
forwarding of inadvertently received details on computers and staff
members to third parties.
- Information of no public relevance should not be disseminated. The
overloading of networks through an arbitrary and excessive distribution of
information should be avoided.
- The distribution of redundant information should be avoided.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000