7.4 E-Mail

Description

Electronic mail service (e-mail in short) allows the world-wide transmission and reception of electronic messages within very brief periods of time. An e-mail usually consists of an address (from/to), subject (title or reference), text body and, occasionally, one or more attachments. E-mail not only allows information to be exchanged quickly, conveniently and informally, but also makes it possible to forward business transactions to other parties for the purpose of further processing. Depending on the context in which e-mail is used, different requirements apply to the confidentiality, availability, integrity and mandatory nature of the transmitted data as well as the e-mail software in use.

Threat Scenario

The following typical threats are assumed as regards IT baseline protection of files exchanged via e-mail:

Organisational Shortcomings:

Human Failure:

Technical Failure:

Deliberate Acts:

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

As regards e-mail systems, the following essential aspects need to be investigated:

A comprehensive security policy (refer to S 2.118 Determination of a security policy for the use of e-mail) needs to be prepared for the implementation of security measures for the exchange of electronic mail. The operation of e-mail systems entails the implementation of security measures for the mail server as well as the clients in use. The security precautions and instructions to be observed by users are of particular importance. The package of measures for the area of e-mail is listed in the following:

Organisation:

Personnel:

Hardware/Software:

Communications:

Contingency Planning:


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000