Email Acceptable Use Policy must contain required elements.

From Email Services Policy STIG

Part of EMG0-092 Acceptable Use Policy Required Elements

Associated with IA controls: PRRB-1

SV-20685r3_rule Email Acceptable Use Policy must contain required elements.

Vulnerability discussion

Email is only as secure as the recipient, which is ultimately the person who is receiving messages. Also to consider, the surest way to prevent SPAM and other malware from entering the email message transport path is by using secure IA measures at the point of origin. Here again, this is ultimately a person, who is sending messages. Email Acceptable Use Policy statements must include user education and expectations, as well as penalties and legal ramifications surrounding noncompliance. Examples of elements may include such items as classification and sensitivity labeling, undesirable message recognition such as for SPAM, Phishing, or bogus certificates. There should also be process information, such as the Email Acceptable Use Policy location, review frequency, email services offered (Outlook, web based email), and email services forbidden (such as access via alternate email products). Users may also need to know other useful information, such as mailbox size quotas, attachment limitations, and procedural steps for making help desk requests. Email tools, rules, and alerts descriptions plus official formats of email based announcements that may originate from the Email Administration team should be documented to prevent users being fooled or compromised by social engineering exploits. It may also be advantageous to have an ‘official’ method of communicating, enabling users to then recognize non-authentic requests and report them.

Check content

Access the EDSP documentation that describes the Email Acceptable Use Policy elements. Included should be elements such as the following: User education User expectations Penalties for non-conformance Legal ramifications Classification labeling SPAM and Phishing recognition Bogus certificates Review frequency Services offered or not offered Message and attachment size quotas Help desk and other support information If the Email Acceptable Use Policy contains required elements, this is not a finding.

Fix text

Revise or supplement the Email Acceptable Use Policy so it contains the required elements. Document the email acceptable use policy elements in the EDSP.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer