2.9 Email Security Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 23 minutes
Video Transcription
Hello and welcome to the next training in I t. Security policy from Sai Berry.
This is module to the email security policy.
You'll be told by myself. Troy Lemaire
Learning objective This policy is Look at business related purposes,
the retention and the privacy of email.
We're gonna use another Sands template here
and in the over you. It talks about how e mails pervasively used in almost all industries
but the misuse of email can postman legal privacy and security risk. So it's important for us to understand appropriate use of electronic communication.
Purpose of this email is to ensure the proper use of the mail system and make use is aware of what deems
something to be acceptable and unacceptable in using the e mail system.
And the policy outlines the minimum requirements for use of email within a company's network.
The policy covers appropriate use of any email sent from a company email address implies all employees, vendors and agents operating on behalf of the company.
Now that we're looking into the body of the email, all use of the Vale must be consistent with the company's policies and procedures of ethical conduct.
Email accounts should be used for business related person purposes. Personal communications permitted for limited bases
all day to contain within an email or an attachment must be secured,
and e mail should be retained only if it qualifies as a business record.
So when looking at these things here, whenever you're talking about the retention,
you need to look at not only the email system but also your spam filtering
and then your email archiving solution that is in place. So what you want to be very careful of is whatever is going to be your attention on email, it has to be stuck with on all of these platforms. So if you have a retention policy of two years as an example,
your spam filter, if it takes any kind of archiving or cash, is an email need to make sure that it's not in that system.
Your email system, whether you're using myself, Outlook or Gmail, needs to not be able to hold any records that are longer than those two years,
and then your archiving has to purge e mails that are held after two years. You want to make sure all three of those are worked out to be the same.
The issue that arises if the policy says two years. But some system has a way of holding it for longer and you don't purge it. And at that point it is now discoverable inside of illegal
ah situation and you are not following your policy, which is very hard to explain. In that case, we want to make sure that your verifying on anyway that email can be stored, that whatever your policy retention schedule is that you're keeping with that
email that is identifies as a company business record, shall we? You're saying, according to the record retention schedule, which is what we just talked about.
Company email system should not be used for creation, distribution of anything disruptive or offensive,
And it goes through enlist some of offensive things that could be there. This you might want to alter. As things change in the environment,
users are permitted prohibited from automatically forwarding e mail to 1/3 party email system.
So therefore you want to make sure that that's not being done unless it is approved for any type of marketing or anything like that,
and you're prohibited from using third party email systems and storage searches. Google, Yahoo in Amos. And
so basically what you're saying is if the company has gone with myself Outlook
and in Exchange server as their email solution,
you don't want users to be going into a separate Google account. Are Gmail account and sending out things on behalf of the company. They should be using the approved provider of email, and in this case, we would be talking about Marcus off. I'll look in Microsoft Exchange
using a reasonable amount of company resource for personal emails. Acceptable. But non work related emails should be saved in separate folders, So you may want to make sure you have a distinction between what is personal email and what is private email for employees and then sending of chain letters or joke e mails is prohibited.
Employees shall not have any expectation of privacy and anything they store sin to receive on the company's email system. Basically, if it is a email that is on the company's email system, it belongs to the company and use their should be able to understand this,
and the reason that is is because of the company may monitor messages without prior notice, but it's not obliged to monitor email messages. So this says that
you can monitor emails,
but you're not obliged to sell. In a situation where some type of virus outbreak happens. One of things that you want to do is go through and look through the messages to see how this virus was
entered into the network. And if it was through email, that would be where you'd find that out.
But you're not obligated to actually go on monitor messages on an ongoing basis.
And, like with all your other policies, you wanna have policy compliance, which is
info. SEC is gonna verify compliance through various methods.
Exceptions are gonna need to borrow your approved ahead of time. And the non compliance is an employee who has violated a policy may be subject to disciplinary action up to and including termination of employment.
All those things were really good information to have inside of policy
in summary. In today's lecture, we talked about email, security policy, the business related purposes, retention and privacy.
So a recap question on email security e mail should be primarily used for what related purposes,
and this would be for business related purposes.
The next question is employees should have no expectation of what When using company email,
as we discussed, that should be privacy. No expectation of privacy When using company email,
looking forward the next lecture. We're gonna continue in general policies, and we're gonna cover the unique user policy
questions or clarification. You consent a message to Cyberia. Message.
User name is at trial, Mayor.
And thank you for attending this cyber every training.
Up Next
Introduction to IT Security Policy

Introduction to IT Security Policy, available from Cybrary, can equip you with the knowledge and expertise to be able to create and implement IT Security Policies in your organization.

Instructed By