LINCOLNSHIRE COUNTY COUNCIL. Information Security Policy Framework. Document No. 8. Email Policy V1.3



Similar documents
Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:

Policy and Code of Conduct

Internet Use Policy and Code of Conduct

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

WORTHING COLLEGE STUDENT IT SECURITY POLICY. October 2014

Services Policy

Policy For Staff and Students

USE OF INFORMATION TECHNOLOGY FACILITIES

UNIVERSITY OF ST ANDREWS. POLICY November 2005

COMPUTER USAGE -

Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:

GCSx Guide for Internal Users. How to send sensitive business and personal information securely

Conditions of Use. Communications and IT Facilities

Rules for the use of the IT facilities. Effective August 2015 Present

Information Services. Regulations for the Use of Information Technology (IT) Facilities at the University of Kent

Online Communication Services - TAFE NSW Code of Expected User Behaviour

Sample Employee Network and Internet Usage and Monitoring Policy

Acceptable Use Policy

Computer Network & Internet Acceptable Usage Policy. Version 2.0

Digital Device LOAN CHARTER

Acceptable Use Policy

B. Privacy. Users have no expectation of privacy in their use of the CPS Network and Computer Resources.

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

Code - A Date Approved: July 24/01

ITU Computer Network, Internet Access & policy ( Network Access Policy )

INTERNET, USE AND

Commonwealth Office of Technology

Embedded Network Solutions Australia Pty Ltd (ENSA) INTERNET ACCEPTABLE USE POLICY

Dundalk Institute of Technology. Acceptable Usage Policy. Version 1.0.1

13. Acceptable Use Policy

The City reserves the right to inspect any and all files stored in private areas of the network in order to assure compliance.

Social Media. Scope. Computer Use Employee Code of Conduct Privacy Emergency Management Plan Communications Strategy Community Engagement Strategy

Delaware State University Policy

Acceptable Usage Policy

Student Laptop User Charter

Acceptable Use of ICT Policy For Staff

The Wellcome Trust Sanger Institute IT Acceptable Use Policy (AUP) Version 1.8

POLICY ON USE OF INTERNET AND

Acceptable Use Policy

IM&T POLICY & PROCEDURE (IM&TPP 02) Policy. Notification of Policy Release: Distribution by Communication Managers

Terms of Service. This online privacy policy applies only to information collected through our website and not to information collected offline.

Strathfield Girls High School Bring your Own Device User Charter

Internet, Social Networking and Telephone Policy

La Cañada Unified School District Personnel Use of Technology Regulations (AR ) Also known as the Staff Technology and Internet Use Policy

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Ventura Charter School of Arts & Global Education Board Policy for Acceptable Use and Internet Safety

Mobile Phone Device Policy

Acceptable Use of Information Technology

Information Management and Security Policy

Information Technology and Communications Policy

INTERNET, AND COMPUTER USE POLICY.

Terms & Conditions. In this section you can find: - Website usage terms and conditions 1, 2, 3. - Website disclaimer

TERMS & CONDITIONS FOR INTERNET ACCESS. Service Provided by Fast Telecommunication Company W.L.L. (hereinafter referred to as FAST Telco )

MARIN COUNTY OFFICE OF EDUCATION. EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS

Recommendations. That the Cabinet approve the withdrawal of the existing policy and its replacement with the revised document.

Sydney Technical High School

Pakistan Education & Research Network (PERN)

STUDENT WEBMAIL. User Guide. Realise Your Potential

GENERAL CONDITIONS OF USE OF COMPUTING AND NETWORK FACILITIES

Transcription:

LINCOLNSHIRE COUNTY COUNCIL Information Security Policy Framework Document No. 8 Email Policy V1.3

Document Control Reference V1.3 Email Policy Date 17 July 2015 Author Approved by Version History David Ingham Judith Hetherington Smith - Chief Information Officer Date Version Revision Notes Author Number 18 February 14 V 0.1 Initial Draft David Ingham 10 April 14 V 0.2 Minor amendments release for comment David Ingham 14 April 14 V 1 Amendments following HoIMT review David Ingham 4 June 14 V 1.1 Minor amendments following CIO review. David Ingham Addition of BPSS requirement 10 June 2015 V 1.2 Minor text corrections. David Ingham Para 4.5 amended. Clarification of email forwarding and OWA access included Para 5.4 added. Para 14 added delegate access. Para 15 added accessing ex-employee email accounts 17 July 2015 V1.3 Minor text amendments following CIO comment. Added para 17. David Ingham Contents Document Control... 2 1. Aim... 3 2. Introduction... 3 3. Scope... 3 4. General Principles... 3 5. Email confidentiality... 4 6. GCSX email... 4 7. LCC Secure Email... 5 8. LCC standard email... 6 9. Spam email... 6 10. Virus transmission... 7 11. Unacceptable Use... 7 12. Personal Use... 8 13. Generic Email Accounts... 8 14. Delegate Access... 8 15. Accessing email accounts of ex-employees... 9 16. Email management... 9 17. Further Information... 10 Document Reference: V1.3 Email Policy Page 2

1. Aim 1.1. The aim of this policy is to ensure that individuals are aware of their responsibilities when using Council email. 1.2. This policy forms part of the LCC Information Security Policy Framework which contains a set of policies, procedures and standards designed to protect Council information and information assets. 2. Introduction 2.1. Electronic mail (email) systems are provided by the Council to allow employees to communicate on behalf of the Council in an effective, efficient and timely manner. 2.2. However, email can put the Council at risk from a number of threats. These range from information being obtained by unauthorised people, introduction of malicious software, and legal action caused by inappropriate use of the systems. 2.3. It is the responsibility of those who use Council email to ensure that this technology is used for Council purposes in a manner which does not compromise the Council or its Users in any way. 3. Scope 3.1. The policy applies to every individual using Council provided email including employees, members, contractors, consultants, suppliers, partnerships, and volunteers. 4. General Principles 4.1. Email must not be considered to be any less formal than memos or letters that are sent out from the Council. 4.2. Email must not contain any material which would reflect poorly on the Council s reputation or its relationship with third parties. 4.3. Personal web-based email accounts or home email accounts must not be used to conduct Council business. 4.4. Email must not be auto-forwarded to non LCC corporate email addresses as security of alternative email addresses cannot be assured. 4.5. When using Outlook Web Access to access corporate email information must not be transferred to/stored on a non LCC device. This is to ensure all corporate information is subject to corporate security controls. Document Reference: V1.3 Email Policy Page 3

4.6. Requests for information under the Data Protection Act or Freedom of Information Act may require that an email is made public and therefore the confidentiality and privacy of emails cannot be guaranteed. 4.7. Emails must only be transmitted by individuals using their own authorised account. 4.8. Emails which form part of a record must be subject to the Records Management Policy and must be subject to the appropriate retention and disposal schedules. 4.9. Email attachments should be stored within corporate systems i.e. IMP, Mosaic, and deleted from emails. 4.10. Attempts to email all LCC users will be blocked and automatically diverted to the Internal Communications team who are responsible for approving corporate emails. 5. Email confidentiality 5.1. When sending an email to more than one recipient and it is necessary to protect email addresses the BCC (blind carbon copy) feature must be used i.e. when sending an external email to multiple members of the public or multiple suppliers. 5.2. Care must be taken when addressing emails and checks must be undertaken to ensure any email/attachment is transmitted to the intended recipient. 5.3. Particular care must be taken if the email client software auto-completes an email address as the user begins typing the recipient's name. 5.4. Emails which contain personal data or information which can be defined as sensitive by the Council (information you would not want to be published in the public domain) must not be sent external to the Council unless a secure email solution is used. Secure email solutions are described below in paragraph 6 and 7. 5.5. In addition to using secure email, attachments containing personal data or other sensitive information must be password protected where possible. This will prevent casual access if an email is sent to the incorrect recipient. 5.6. Any incoming email marked using the governments classification scheme e.g. Official must have their markings preserved and respected for any onward communication. 6. GCSX email 6.1. GCSX email must be used to securely send personal data or sensitive information via email to Government organisations that have a designated GCSX or equivalent email address. Document Reference: V1.3 Email Policy Page 4

6.2. Equivalent email addresses include: 6.2.1. Local Government *gcsx.gov.uk 6.2.2. NHS/Health *.nhs.net 6.2.3. The Police National Network/Criminal Justice Service/Ministry of Justice *.pnn.police.uk *scn.gov.uk *cjsm.net 6.2.4. Central Government *.x.gsi.gov.uk *.gsi.gov.uk *.gse.gov.uk 6.3. Users must be aware that sending an email from a GCSX email account to an email address which does not meet the above criteria is insecure and must not be used to send personal data or sensitive information. 6.4. LCC Secure email must be used as an alternative to GCSX email when Government authorities or private organisations do not have access to a GCSX email account or equivalent. 6.5. GCSX Mail must only be available from LCC corporate devices. 6.6. Emails delivered to GCSX email accounts must not be auto forwarded to another email account. 6.7. Applications for a GCSX account must be completed using the online GCSX e-form available on the Information Governance page on George. 6.8. Applications for a GCSX generic account must be completed by a Manager using the generic email request e-form available on the Information Governance page on George. 6.9. Only staff with individual GCSX accounts must be allocated access to a generic GCSX account. 6.10. All users of GCSX email (a PSN service) must be validated against the Baseline Personal Security Standard before an account is provided. 7. LCC Secure Email 7.1. LCC Secure email service must be used to transmit emails containing personal data or sensitive information to external email addresses when the recipient does not have access to a GCSX email address or equivalent. Document Reference: V1.3 Email Policy Page 5

7.2. All Users must familiarise themselves with the LCC Secure email service instructions before using it. Failure to do so may result in an email being sent insecurely. 7.3. All Users must ensure intended recipients are provided with LCC Secure email service instructions on initial use. 7.4. Instructions on the use of LCC Secure email are available on the Information Governance Intranet page. 8. LCC standard email 8.1. LCC standard accounts i.e. lincolnshire.gov.uk must only be used to exchange personal data or sensitive information with other internal LCC standard email addresses. 8.2. LCC standard email accounts must not be used to send personal data or other sensitive information external to the Council. 9. Spam email 9.1. Spam email, also known as junk email, is unsolicited email sent to numerous email accounts. It can be used as a method of delivering malicious software by convincing a User to click on an executable attachment or on a link to a malicious website. 9.2. Email which has been quarantined by the technical controls on the Council Network must only be released if the User is confident it is a legitimate email. 9.3. A User must not open an attachment or click on any link within any email unless confident the email is legitimate. 9.4. Spam email must be deleted and must not be forwarded. 9.5. Users must not reply to spam email nor must they attempt to remove the Council email address from the mailing list as this confirms the existence of an address following a speculative email. 9.6. Users must consider the consequences of providing an official Council email address to a third party e.g. commercial website, as this can lead to spam email. 9.7. Council email addresses must only be provided for legitimate Council business purposes. 9.8. Technical measures will be implemented and maintained by the Council to prevent inbound emails which contain executable files e.g. email attachment. Document Reference: V1.3 Email Policy Page 6

10. Virus transmission 10.1. Email is the most common way that viruses are transmitted between computers. The most common mechanism for this is in the form of an attachment to the message. 10.2. A User must not open an attachment or click on any link within any email unless confident the email is legitimate. 10.3. A User must be vigilant to malicious software when receiving attachments which contain compressed file formats, such as.zip and.rar. If in doubt a User must not open the attachment and must seek advice from the IT Service Desk. 10.4. A User must not forward any email they suspect of containing a virus. 10.5. A User must contact the IT Service Desk if they believe they have received a virus via email or a virus is present on their device. 10.6. If a virus is confirmed as being present on your device you must follow the instructions provided by the IT Service Desk. 11. Unacceptable Use 11.1. Users must not email unsolicited commercial or advertising material, chain letters, or other junk-mail of any kind, internally or to other organisations. 11.2. Users must not undertake activities that unreasonably waste staff effort or use networked resources, or activities that unreasonably serve to deny the service to other users. 11.3. Users must not create or transmit any offensive, obscene or indecent images, data, or other material, or any data capable of being resolved into obscene or indecent images or material. 11.4. Users must not create or transmit material which is designed or likely to cause annoyance, inconvenience or needless anxiety. 11.5. Users must not create or transmit material that is abusive or threatening to others, or serves to harass or bully others. 11.6. Users must not create or transmit material that either discriminates or encourages discrimination on racial or ethnic grounds, or on grounds of gender, sexual orientation, marital status, disability, political or religious beliefs. 11.7. Users must not create or transmit defamatory material. 11.8. Users must not create or transmit material which brings the Council into disrepute. Document Reference: V1.3 Email Policy Page 7

11.9. Users must not broadcast global emails. This must be coordinated by the Council's communications team. 12. Personal Use 12.1. You must not use corporate email to send personal email outside of the Council. Internal personal use of corporate email must be reasonable, proportionate, and occasional, and must not interfere with the performance of your role or the performance of the system. 12.2. Personal use must not impact or interfere with your own performance at work or that of others. 12.3. Personal use must not include the use of personal email accounts for Council business. 12.4. Personal use of email must not conflict with "Unacceptable Use" as described in paragraph 11. 12.5. The Council may monitor email usage to ensure compliance with this policy. 13. Generic Email Accounts 13.1. A generic email account for shared access must be provided only when a business case exists. 13.2. A generic email account must have a designated owner who will be responsible for the account and for granting/revoking access rights to the account. 13.3. A generic email account must only be used to send email when there is a business need to do so as individual email accounts must be used as the preferred method of email communication. 14. Delegate Access 14.1. Delegate access can allow another person to read, create or have full control over items in a User's inbox and is most commonly used between a manager and the relevant support staff. In this instance access must be provided following the identification of a clear business need. 14.2. Delegate access to email accounts in other instances e.g. long term absence, must only be provided following a clear business need and only when authority is provided by the email account owner or in their absence an appropriate senior manager. 14.3. Requests for delegate access must be documented by the authoriser. 14.4. Delegate access must not be provided by supplying details of a User account i.e. Username and password. Document Reference: V1.3 Email Policy Page 8

14.5. Delegate access must not allow the delegated person to write emails from the delegated account. Responses to emails must be sent from the delegates own account. 14.6. It must be the responsibility of the authoriser (owner of the account or senior manager) to request the removal of delegate access when a business need no longer exists. 14.7. Delegate access must be implemented as a temporary solution only based on business need unless it meets 14.1. 15. Accessing email accounts of ex-employees 15.1. There are occasions when access to business emails of ex-employees is required and in each instance a robust business case must be provided. 15.2. Authority to access an ex-employees email account must be provided by an appropriate manager and recorded by the IT Service Desk. 15.3. Unless the business case requires otherwise access must be time limited to 30 days. 15.4. The person accessing emails must take reasonable precautions to avoid opening private emails. If it becomes readily apparent that an email is of a personal nature the reader must not open it or stop immediately if the email has been opened. 15.5. Access must be provided by transferring emails into a container of the relevant persons email client. 15.6. Forwarding or redirecting emails from an ex-employees account must be avoided. 16. Email management 16.1. The use of a signature facility must be included as a sign off on emails to ensure the recipient understands who they are communicating with and to provide additional contact details. 16.2. A message will automatically generate on emails sent externally to the Council which includes a disclaimer. It must provide guidance to recipients should an email be received in error. 16.3. The Out of Office assistant must be activated if you are unable to answer emails. Alternative contact details must be provided for a line manager or colleague. 16.4. Email accounts must be managed by account holders to ensure the size of the mail box remains manageable. Document Reference: V1.3 Email Policy Page 9

16.5. All emails which are corporate records must be moved to the appropriate corporate resource and must not be stored in personal email accounts. 17. Further Information 17.1. For further information or guidance please contact the Information Governance Team by email at information_governance@lincolnshire.gov.uk. Document Reference: V1.3 Email Policy Page 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information