Purpose

This document addresses the risk of using email, the policies required to manage those risks to an acceptable level and the responsibilities within the business to achieve this

Introduction

Security Policy is an essential measure to help protect Rose Bruford College information systems from compromise, either accidentally or deliberately, which could have an adverse consequence on the college, its management and staff and students. This document addresses the risk of using email, the policies required to manage those risks to an acceptable level and the responsibilities within the business to achieve this

The structure of this document is described in the table below.

 

Section Description
Background to RiskExamples of email risks including recently publicised cases
The User PolicyDescribes the policies that all email users must follow
Management ResponsibilitiesDescribes management’s role in supporting the policy
Technical Support ResponsibilitiesDescribes IT role in supporting the policy

 

Related policies include:

Background to Risks

Email is part of the lifeblood of Rose Bruford College, but accidental or deliberate misuse can have a number of serious impacts upon the college. Here are several potential risks with examples using cases that have been publicised:

Risk - incorrect Business Use by Staff or Student
With click of mouse employee can accidentally send an email either internally or externally to the organisation that results in embarrassment to management, discloses confidential information to the wrong recipient, or results in an unauthorised contractual commitment. A libellous email can also be used as part of incriminating evidence during legal proceedings against the organisation by an employee, or by an external party. The impacts to the college could include settlement or court fines, loss of customers or potential clients or damage to public reputation.

Risk - Inappropriate Personal Use by Staff or Student
An email that was of a personal but sensitive nature was forwarded to other member of staff or student, and external email addresses. For example, a distasteful joke or remark about someone sent is to a friend, which is subsequently forwarded to journalists and is published. The college’s reputation could be severely damaged – depending on type of business and contents of email.

Risk - Offensive Content from Staff, Students or Outsiders
Distribution of porn or otherwise offensive content can affect the moral of staff, result in serious embarrassment to the college and its management with potential loss of students and damaged reputation. The college could be embroiled in lengthy and costly legal cases which also use up staff and management resources.

Risk - Chain Emails, Hoaxes, SPAM and forged emails
Chains and Unsolicited emails (e.g. SPAM) affect staff and students productivity, can be annoying and affect the operation of email services and network resources. Emails with large attachments such as images or video clips also impact the operation of the email service.
Up to 65% of emails are SPAM and significant resources are spent by ICT staff dealing with this on a daily basis. Forged emails can lead a member of staff or student carrying out an activity that could disclose confidential information or otherwise jeopardise the college. Email scams can result in impact to staff and student productivity, and scams directly targeted at certain types of business could lead to disclosure or other types of losses by students or members of its staff.

Risk - Corruption by Malicious Content
Email continues to be one of the main sources for the transfer of malicious software around the Internet, affecting the availability and integrity of workstations and severs. Email worms may contain or cause the download of software that results in Distributed Denial of Service (DDoS) attacks against other Internet websites, or otherwise uses the resources of one company’s information systems to launch attacks on another.  The college reputation would be badly damaged by such an incident; the organisation could be sued and may have to pay for remedial work to its own systems.

Risk - Use of Personal Email Systems
College email that is created on, forwarded to or otherwise stored on email systems outside of the college’s control will be bypassing many of the controls implemented to meet the email policy requirements, including email disclaimer statements, and cannot be monitored by the college.

Risk - Copyright Infringement
Software executables that are distributed via email either into or out of Rose Bruford College may result in an infringement of copyright rules. This could result in embarrassment to Rose Bruford College and large fines.

Management Responsibilities

In relation to email, the college Principal is responsible for ensuring the college’s compliance with all current legislation and corporate governance. The Principal has a responsibility to governors, students and staff to safeguard college assets and viability and for preserving the college’s integrity and reputation.

Management are responsible for:


The effectiveness of the policy will be monitored by carrying out the following activities:

User Responsibilities

The following two sections detail the user email policy principles at Rose Bruford College that must be followed by all users. In the event that users are not clear of any policy principles they should seek clarification from the Head of IT.

These are the essential principles of the email security policy which must be followed by all email users, whether, employees or directors:

Policy for avoiding errors

The following principles should be adhered to by users to maximise the effectiveness of the email systems and to reduce the risk of accidental error. Email users should:

To help ensure that user privacy is maintained, personal emails (subject to the limitations described) should be marked “personal” as advised by the Data Protection Code Part 3.

Monitoring of User Emails

The college reserves the right to intercept, read and store any email on its systems or in transmission over its network in the UK at its discretion. All interceptions will be carried out in accordance with current legislation.

IT Support Responsibilities

The IT personnel supporting the email service have the following responsibilities:


NOTE
Data Protection Code Part 3 recommends that only sender and recipient name and subject are monitored.
 

Disclaimer Text - Staff


 

Disclaimer Text - Students