2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	496/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 492 493 494 495 496 497 498 499 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Email Security Goals
For email, the basic mechanism in use on the internet offers the efficient delivery of mes-
sages but lacks controls to provide for confidentiality, integrity, or even availability. In other
words, basic email is not secure. However, you can add security to email in many ways.
Adding security to email may satisfy one or more of the following objectives:
■
Provide for nonrepudiation
■
Restrict access to messages to their intended recipients (i.e., privacy and confidentiality)
■
Maintain the integrity of messages
■
Authenticate and verify the source of messages
■
Verify the delivery of messages
■
Classify sensitive content within or attached to messages
As with any aspect of IT security, email security begins in a security policy approved by
upper management. Within the security policy, you must address several issues:
■
Acceptable use policies for email
■
Access control
■
Privacy
■
Email management
■
Email backup and retention policies

532
Chapter 12
■
Secure Communications and Network Attacks
Acceptable use policies define what activities can and cannot be performed over an orga-
nization’s email infrastructure. It is often stipulated that professional, business-oriented
email and a limited amount of personal email can be sent and received. Specific restrictions
are usually placed on performing personal business (that is, work for another organization,
including self-employment) and sending or receiving illegal, immoral, or offensive commu-
nications as well as on engaging in any other activities that would have a detrimental effect
on productivity, profitability, or public relations.
Access control over email should be maintained so that users have access only to their
specific inbox and email archive databases. An extension of this rule implies that no other
user, authorized or not, can gain access to an individual’s email. Access control should pro-
vide for both legitimate access and some level of privacy, at least from other employees and
unauthorized intruders.
The mechanisms and processes used to implement, maintain, and administer email for
an organization should be clarified. End users may not need to know the specifics of email
management, but they do need to know whether email is considered private communica-
tion. Email has recently been the focus of numerous court cases in which archived messages
were used as evidence—often to the chagrin of the author or recipient of those messages. If
email is to be retained (that is, backed up and stored in archives for future use), users need
to be made aware of this. If email is to be reviewed for violations by an auditor, users need to
be informed of this as well. Some companies have elected to retain only the last three
months of email archives before they are destroyed, whereas others have opted to retain
email for years. Depending upon your country and industry, there are often regulations
that dictate retention policies.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 492 493 494 495 496 497 498 499 ... 881