Within this section of the email server policy there should be general and configuration requirements outlined that must be followed such as:The passwords used to access the email servers must be of the correct strength outlined such as including numbers, capital letters and at least one symbol, to ensure the passwords are strong. This helps to prevent users or devices which are not allowed access to the organisations email server accessessing possible sensitive information about important clients or senior managers.No sensitive information should be recorded in emails that will be stored in the email server.All emails coming into the organisation must be scanned before they are forwarded to the recipient/recipients. This ensures a consistent level of security within the organisation.The organization’s email should be used for business communication with the exception of limited personal use which should be forwarded to a seperate folder.
The most up to date software security patches must be installed on the email server when practical without affecting the organisations business.The email server must have malware defences such as software used to detect, prevent installation and the running of malicious software on the email server. This can be achieved through downloading anti-virus software and preventing the email server from auto-running content from usb drives.The email server must only run the organisations network services, protocols and ports that are necessary for the email server to work for the organisation. This can be done by using a firewall which only allows traffic from specified ports. No third party email servers should be used by any employee in the organisation to oversee any business relating to the organisation.The email server’s operating system must be appropriately configured to prevent security weakness from the date of creation.
The email server must be physically positioned in an access-controlled environment5All organisation data mentioned within an email or an email attachment should be secured according to the Data Protection Standard.One person within the organisation should be employed to support and administer the email server.The email server should be scanned daily to ensure vulnerabilities are detected quickly.
The email server must be registered with the corporate enterprise management system. 5The emails stored on the email server associated with the organisation must be recoverable incase of a security incident.The backup system must be tested by the service owner a minimum of annually. Always use least required access which means not using root when standard administrative access will perform the required task.
A high level of security should be applied to senior management’s accounts.Logs from the email server should be monitored and kept for a minimum of 2 weeks.When an employee leaves the organisation their access to the email server must be terminated immediately. Employees will face disciplinary action if the email server security policy is not enforced.