Content

Email Security Policy

PURPOSE

The goal of this policy is to outline the company’s email system usage standards. This policy will assist the organization in reducing the risk of an email-related security issue, fostering good business communications both internally and externally, and ensuring that the company’s email principles are used consistently and professionally.

Company Employees

  • Read and comply with this policy.
  • Protect LightForce electronic information’s confidentiality, integrity, and availability.
  • Assist in ensuring that an external IT supplier satisfies contractual duties to secure and manage LightForce IT assets when contracting with them.

Information Security

Review and update the policy as needed.

OBJECTIVE

Email is an important part of LightForce communication, but it poses a unique set of issues since it has the potential to compromise the network’s security. When sending and receiving email from work accounts, users are expected to use common sense, and this policy specifies expectations for appropriate, safe, and successful email use. The organization will make every effort to run LightForce’ email system in a way that allows users to be productive while working while also reducing the danger of a security event involving email.

DEFINITIONS

Auto Responder:

An email function that sends a predetermined response to anyone who sends an email to a certain address. Often used by employees who will not have access to email for an extended period of time, to notify senders of their absence.

Data Leakage:

Also called Data Loss, data leakage refers to data or intellectual property that is pilfered in small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious and sometimes inadvertent by users with good intentions.

Encryption:

The process of encoding data with an algorithm so that it is unintelligible and secure without the key. Used to protect data during transmission or while stored.

Mobile Device:

A portable device that can be used for certain applications and data storage. Examples are PDAs or Smartphones.

Password:

A sequence of characters that is used to authenticate a user to a file, computer, network, or other device. Also known as a passphrase or passcode.

Spam:

Unsolicited bulk email. Spam often includes advertisements, but can include malware, links to infected websites, or other malicious or objectionable content.

Two Factor Authentication:

A means of authenticating a user that utilizes two methods: something the user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

POLICY/PROCEDURE

Sending Emails

Emails sent from a LightForce email account should be carefully addressed and sent. Users should be aware that once email is transmitted outside of the LightForce network, the company loses all control over it. To avoid inadvertent information disclosure to an undesired recipient, users must exercise extreme caution while putting in addresses, particularly when email address auto-complete capabilities are activated; utilizing the reply all function; or using distribution lists.

E-mail Signatures & Auto-Responders

For emails sent from the LightForce email system, an email signature (contact information appended to the bottom of each outgoing email) is advised. At the very least, the user’s signature should include the following information:

  • Title
  • Company name
  • Phone number(s)

Personal messages are not permitted in email signatures (political, humorous, etc.). If necessary, the IT department can assist with email signature setup.

If the user will be out of the office for an entire work day or more, the company suggests using an auto-responder. The auto-response should inform the sender that the user is out of the office, the expected return date, and who to contact if immediate assistance is required.

Mass Emailing

The company distinguishes between bulk email distribution and unsolicited email distribution (spam). Mass emails can be useful for both sales and non-sales objectives (for example, when communicating with a company’s staff or customers), and are permitted depending on the circumstances. Spam mailing, on the other hand, is strictly prohibited.

Sending large emails

Email systems were not designed to transfer large files and, as such, emails should not contain attachments of excessive file size. Users should limit email attachments to 30Mb or less. For external email systems, the company reserves the right to further limit this email attachment limitation. Users should recognize the additive effect of large email attachments when sent to multiple recipients, and use restraint when sending large files to more than one person.

Opening attachments

  • When opening email attachments, users must exercise caution. Viruses, Trojans, and other malware can simply be sent by email attachment.
  • Users should:
    • Never open unexpected email attachments.
    • Never open email attachments from unknown sources.
    • Never click a link in an email message unless he or she is confident that the link is safe. Because specially-formatted emails can mask a dangerous URL, it’s usually advisable to copy and paste the link into your web browser or retype the URL.
  • LightForce may employ any means it deems appropriate to block what it regards to be dangerous communications or to remove potentially harmful email attachments.

Company ownership and business communications

  • Users should be aware that the company owns and maintains all legal rights to its email systems and network, which means that any email sent through these systems is held by the company and may be used for purposes the user did not intend. Users should be aware that email may be archived, copied, stored, or used for legal, disciplinary, or other purposes. Additionally, email to or from some public or governmental institutions may be considered public record.
  • Users are reminded that email sent from a work account reflects on the organization, and that email should be handled professionally and courteously. Email is a key mode of communication for the company’s business activities. Users of the company’s email system are expected to monitor and react to messages on a regular basis.
  • All business-related email must be sent through the corporate email system. Sending work email via a non-company-provided email account is forbidden.

Personal Use

  • For any non-business correspondence, users must use a non-company-provided (personal) email account. The purpose of the corporate email system is to communicate with the rest of the company.
  • Users must adhere to corporate standards when accessing non-company-provided accounts through the workplace network.

Monitoring and privacy

When using the business network or company resources, users should not expect privacy. Transmission and storage of files, data, and communications are examples of this type of application. The corporation reserves the right to monitor all computer network activity. Interception and review of any emails or other messages sent or received, as well as inspection of data held on personal file directories, hard drives, and removable media, may be used to guarantee compliance with company policies.

Sensitive data

  • Sensitive information should be supplied as an encrypted attachment rather than as plain text in an email message. Email is a risky way of communicating. Users should consider email in the same way they would a postcard, which, like email, can be intercepted and viewed as it travels to its intended recipient.
  • All email is encrypted using Transport Layered Security (TLS). Attachments within the email might be encrypted using additional methods. If you need help with this, contact Information Security.
  • Passwords for email accounts must be kept private and used in accordance with the Password Policy. The organization may further safeguard email with certificates, two-factor authentication, or another security method.

Data leakage

  • Unauthorized emailing of confidential or non-confidential company material to external email accounts for storage outside of company networks is forbidden. Instead of emailing the data to a personal account or otherwise removing it from corporate systems, a user should notify his or her supervisor if they require access to information from external systems (for example, from home or while traveling).
  • LightForce may use data loss prevention procedures to prevent the leakage of confidential data.

Company administration of e-mail

Filtering

  • LightForce will filter email at the Internet gateway and/or the mail server, in an attempt to filter out spam, viruses, or other messages that may be deemed
    • contrary to this policy, or
    • a potential risk to the company’s IT security. No method of email filtering is 100% effective, so the user is asked additionally to be cognizant of this policy and use common sense when opening emails.
  • Many email and/or anti-malware programs will identify and quarantine emails that it deems suspicious. This functionality may or may not be used at the discretion of LightForce IT.

Storage Limits & Email Retention:

  • Email storage limits are determined by the Hosted Email Provider in use at LightForce.
  • Email should be retained and backed up in accordance with the applicable policies. Unless otherwise indicated, for the purposes of backup and retention, email should be considered operational data.
  • Users are strictly forbidden from deleting email in an attempt to hide a violation of this or another company policy. Further, email must not be deleted when there is an active investigation or litigation where that email may be relevant.

Aliases

The company may or may not use email aliases, as deemed appropriate by the IT Department and/or executive team. Aliases may be used inconsistently, meaning: the company may decide that aliases are appropriate in some situations but not others depending on the perceived level of risk.

Account activation:

  • Email accounts will be set up for each user determined to have a business need to send and receive company email and to participate in other LightForce resources tied to our SSO solution.
  • Accounts will be set up at the time a new hire starts with the company, or when a promotion or change in work responsibilities for an existing employee creates the need.

Account termination:

  • When a user leaves the company or their email access is officially terminated for another reason, the company will disable the user’s account access via a password change, account deactivation, or another way. The company is under no duty to stop receiving email from that account, and it may continue to pass inbound email addressed to that account to another user or set up an auto-response to tell the sender that the user is no longer employed by the company.

Prohibited actions

  • The following acts are prohibited when using the company’s email system. This list is not exhaustive, but it serves as a starting point for the types of actions that are considered inappropriate. The user is not permitted to use the company’s email system to:
  • Send any information that is illegal under applicable laws.
  • Access another user’s email account without
    • the knowledge or permission of that user and the IT Department – which should only occur in extreme circumstances, or
    • the approval of company executives in the case of an investigation, or
    • when such access constitutes a function of the employee’s normal job responsibilities.
  • Send any emails that may cause embarrassment, damage to reputation, or other harm to the company.
  • Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, harassing, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
  • Send emails that cause disruption to the workplace environment or create a hostile workplace. This includes sending emails that are intentionally inflammatory, or that include information not conducive to a professional working atmosphere.
  • Make fraudulent offers for products or services.
  • Attempt to impersonate another person or forge an email header.
  • Send spam, solicitations, chain letters, or pyramid schemes.
  • Knowingly misrepresent the company’s capabilities, business practices, warranties, pricing, or policies.
  • Conduct non-company-related business.

The company may take steps to report and prosecute violations of this policy, in accordance with company standards and applicable laws.