Email Security

Policy Statement

All members of Business are responsible for protecting the confidentiality, integrity, and availability of data created, received, stored, transmitted, or otherwise used by Business.

Business reserves the right to restrict the use of information technology resources in order to preserve data security or comply with law or policy.

In order to further secure Business data and users of Business, Business should implemented an Business-wide email security system that incorporates spam filtering, advanced threat protection, and threat classification.

Reason for Policy

Email is a common method of data exfiltration, namely by the use of spam messaging and phishing campaigns in order to trick users into providing sensitive information on a fake website. In order to protect against these advanced persistent threats, Business has implemented an email security solution that is modular in nature and robust in terms of its capabilities.

Who Should Read this Policy

All users of Business.

1.   Overview

Business should implemented an email security solution MailGuard, Proofpoint, Advanced Threat Protection or equilvalent. The system provides spam message filtering and protection against advanced persistent threats by blocking spoofing attempts, intercepting malicious hyperlinks, and scanning attachments in email messages that may contain malicious code.

2.   System Basics

The spam management feature is an email filtering tool; all incoming email is filtered by an anti-spam and anti-virus product. Messages are scored and thresholds have been set in alignment with industry standards and Business needs in order to safely quarantine messages that contain spam or malicious content. These thresholds are tuned regularly in response to environmental changes and user feedback.

The system also provides targeted attack protection against malicious hyperlinks and attachments contained in email messages. Hyperlinks are assessed for the likelihood of a threat or attack. Hyperlinks are rewritten in such a way to protect end users from accidentally clicking through and exposing themselves to an attack or infection.

Attachments are securely screened and tested for the presence of malicious code, or “sandboxed.” Email messages found to contain malicious attachments are blocked from delivery in order to prevent infection or spread of ransomware. The delivery of emails containing attachments from external senders may be delayed on average 3 – 5 minutes, although the maximum delivery delay will not exceed 15 minutes.

Lastly, the email security system implements filtering of “spoofed” messages. Spoofed messages are often used by attackers to impersonate another user in order to conduct a social engineering attack, typically to request monies or privileged credentials. The email system is configured to detect and quarantine messages that are spoofed. Quarantined messages will appear in the daily message digest. False positives can be reported to ITS for investigation and whitelisting. NOTE: The accuracy of detect is highly subjective and reliant on the sender's trusted email infrastructure e.g. SPF, DKIM, DMARC, Domain Name and IP Address.

The implementation of this system has shown a dramatic increase in the number of spam-related messages that have been quarantined and a decrease in the amount of compromised user accounts by protecting malicious hyperlinks and attachments. As this system provides an adequate layer of defense against malicious attacks both on and off the Business network, all individuals with a Business email account are automatically enrolled in these services.

3.   Individual Responsibilities

In order to ensure all individuals are protected against threats through the WCM email system, all users are automatically enrolled in the spam filtering and security features (anti-virus scan, hyperlink protection, attachment scanning and testing, anti-spoofing) of the email security solution. Due to the security implications that may occur from withdrawing from these services, users may tune some of the spam filtering and digest features, but may not withdraw from the provided security features.

3.1 Assistance with Email Security System

Individuals that are experiencing technical difficulties with the email security system should contact ITS Support for assistance.

If too many messages are being blocked inadvertently, users can adjust the quarantine, white list, and black list options. ITS Support can assist users learning how to manage these controls. 

4. Definitions

These definitions apply to institutions and regulations as they are used in this policy. Definitions of technical terms are supplied by NIST IR 7298 Revision 2, Glossary of Key Information Security Terms.

1. ITS: Information Technologies & Services Department
2. spam: The abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.
3. phishing: Tricking individuals into disclosing sensitive personal information through deceptive computer-based means.
4. spoofing: Faking the sending address of an email message in order to deliberately induce a user to take incorrect action, usually through the use of spam or phishing.
5. ransomware: Type of malicious software (or “malware”) that restricts access to the infected system (or other interconnected systems) in some way and demands that the user pays a ransom to the attackers in order to remove the infection. In most cases, this type of infection is spread via malicious email attachments.
6. APT: Advanced Persistent Threats. An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.