Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Transcription

1 Electronic Messaging Policy 1. Document Status Security Classification Level 4 - PUBLIC Version 1.0 Status DRAFT Approval Life 3 Years Review By June 2012 Owner Secure Research Database Analyst Retention Change History 1

2 Contents 1. Document Status Introduction Scope Accessing IOE Security Appropriate Use of Institute Systems Unacceptable Use of Systems... Error! Bookmark not defined. 7. Privacy... 6 Appendix A: Procedure for Handling Compromised User and Accounts.. Error! Bookmark not defined. 1. Background... Error! Bookmark not defined. 2. Impact... Error! Bookmark not defined. 3. Remedial Actions... Error! Bookmark not defined. Deleted: 5 Deleted: 7 Deleted: Deleted: Deleted: 2

3 1. Introduction 1.1 This policy sets out the proper use of for IOE-related purposes. All users of the Institute systems can find further information in the Information Security Policy, the Data Security Policy, the Conditions of Use for Computer Users form and other accompanying guideline documents. 2. Scope 2.1 This policy covers all electronic messaging utilized by authorized IOE users. 2.2 All forms of electronic messaging, including , instant messaging, tweeting and blogging, are covered without exception by this policy. The use of the word will, for the purposes of this policy, cover all forms of electronic messaging. 3. Accessing IOE 3.1 IOE accounts are given to staff, students and approved third parties who agree to adhere to and abide by the Institute s Information Security Policy and other related policies, codes of practice and guidelines. 3.2 IOE systems have been designed to enable use from IOE workstations, external computers and other end user devices (such as XDAs, smartphones etc). Access is therefore only controlled by single-factor authentication (the possession of something you know a username and password) and is available anywhere on many different devices. 3.3 All material sent from, received by, uploaded to or downloaded from the IOE servers must be handled in a manner appropriate to its Data Classification (see Data Security Policy). 3

4 4. Security 4.1 Usernames and passwords are for individual use only, and must not normally be disclosed to third parties, whether within or outside the IOE. 4.2 Any user knowing or believing that they have disclosed their account details, or who knows or suspects that their account has been compromised, must contact the computer helpdesk immediately in order to outline the situation. 4.3 In order to maintain the confidentiality, integrity and availability of IOE systems and services, and also to ensure that the IOE is not blacklisted by ISPs or has its internet access removed by JANET, compromised and user accounts will be dealt with in a uniform manner, the details of which are available to IOE staff upon request. There will be no exceptions is considered an inherently insecure method of communication. There is no guarantee that the recipient of a message is in fact genuine, nor is there any guarantee that the sender of a message is genuine. should therefore not normally be used to transmit data classified as Confidential or Restricted. 4.5 Once a message has been SENT, recipients may intentionally or accidentally forward the message to other individuals. Therefore users of electronic messaging should have no expectation that any electronic message will remain private. 4.6 Users cannot currently send nor receive messages containing encrypted attachments. Encrypted attachments cannot be scanned by firewalls, anti-virus or anti-malware applications. The authenticity and malware-free status of the attachment cannot therefore be guaranteed, and in order to ensure the confidentiality, integrity and availability of IOE systems the sending and receiving of unscannable files must be blocked. 4.7 The IOE has put into place spam filters and anti-virus filters at the gateways. These filters are there to protect the IOE s information systems resources from viruses and unsolicited . Whilst the IOE is constantly updating these filters it cannot guarantee that it will provide 100% protection against all viruses and spam. If any users feel that they are receiving excessive amounts of unsolicited or are being caused distress by the receipt of offensive they may contact the IT Services helpdesk for further guidance. 4

5 5. Appropriate Use of Institute Systems 5.1 The use of IOE-provided is subject to all relevant laws, policies, codes of practice and guidelines. All users must comply with the IOE s Information Security Policy, the Data Security Policy and the Conditions of Use for Computer Users. 5.2 IOE services are provided to staff, students and approved third parties to conduct official Institute-related business. s of a personal nature may be sent using the IOE system so long as they do not breach the Conditions of Use for Computer users or other terms and conditions of employment. 5.3 Official IOE business should not normally be conducted from accounts other than those provided by the IOE. Although it is recognised that this might be necessary in some exceptional circumstances, users should be also be aware that the use of third-party providers for IOE work may breach contractual, legislative, ethical and policy requirements. 5.4 Users must not send messages or message content that may harass or offend (including racist, sexist, defamatory or obscene material). 5.5 Users must not send messages from someone else s account except under proper delegate and send on behalf of arrangements which retain individual accountability. 5.6 Users should not normally auto forward mail to a non-ioe system (this includes internet systems such as hotmail or gmail) see 5.3 above. 5.7 Users should not normally enter into contractual agreements by Users must not use IOE for personal gain or profit. 5.9 Users must not use IOE to represent themselves as someone else Users are encouraged not to use IOE as a means of storing information. All important information should be stored within the Q: drive, a research project folder, a user s N: drive, or other IOE-provided storage as appropriate to the nature and classification of the information. Attachments should be detached from messages and saved appropriately IOE should not be accessed by any end user device that has been deliberately or knowingly cracked or jailbroken, or that may otherwise prove a threat to the Confidentiality, Integrity and Accessibility of IOE user accounts, networks and data. 5

6 6. Privacy 6.1 Under the terms of this policy no person shall monitor another user s account unless written authorisation has been granted to do so. The monitoring and or inspection of accounts may only occur in accordance the Information Security Policy and the Monitoring and Logging Policy. 6.2 The IOE, in accordance with its legal and audit obligations, and for legitimate operational purposes, reserves the right to access and disclose the contents users messages. The Institute also reserves the right to demand where necessary the disclosure of decryption keys so that it may fulfil its right of access to users messages in such circumstances. The IOE also reserves the right to monitor users accounts where necessary as set out in the Information Security Policy and the Monitoring and Logging Policy in line with the Regulation of Investigatory Powers Act (RIPA) 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, the Digital Economy Act 2010 and the Terrorism Act Mailbox Termination 7.1 Staff mailboxes will be deleted at the termination of the staff member s employment. 7.2 Where explicitly requested in writing by a head of department, a mailbox of a staff member who has left may be kept open for a period of not more than two months, with an Out of Office reply directing enquiries to a different address. 7.3 Any addressed to a named staff member who has left may NOT be redirected to another address. Such s may contain personal, confidential or inappropriate content that may place the IOE or IOE staff at risk if it is opened. 7.4 Staff mobile devices which are used to connect to IOE-provided mailboxes or which contain data owned by or held by the IOE will be wiped at the termination of a staff member s employment. 7.5 Mailboxes not logged into or utilized for a period of one year will be disabled. If no request is received within a further three months requesting their reenablement, they will be permanently deleted. 6