Establish, implement, and maintain an anti-spam policy.
CONTROL ID 00283
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Privacy protection for information and data, CC ID: 00008
This Control has the following implementation support Control(s):
Refrain from sending unsolicited commercial electronic messages under predetermined conditions., CC ID: 13993
Refrain from sending unsolicited commercial electronic messages with hyperlinks to a country with an anti-spam policy., CC ID: 00284
Refrain from including misleading information in the e-mail header when transmitting electronic messages., CC ID: 00285
Include information identifying the organization hired to send commercial electronic messages when sending commercial electronic messages through a third party., CC ID: 00286
Include contact information in commercial electronic messages., CC ID: 15457
Refrain from sending commercial electronic messages to a third party computer when the message does not contain a functioning return e-mail address that is clearly visible to the receiver., CC ID: 00287
Refrain from sending commercial electronic messages, physical mail, or making telephone calls after an opt out by a user., CC ID: 00288
Include a personal identifier, an opt-out provision, and a physical address to add the recipient to the do-not-e-mail registry in all commercial e-mails., CC ID: 00289
Define aggravated violations that relate to commercial electronic messages., CC ID: 00293
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages., CC ID: 00294
Define who enforces the anti-spam policy., CC ID: 00295
Establish, implement, and maintain a do-not-e-mail registry., CC ID: 00297
Enter individuals into the do-not-e-mail registry upon request., CC ID: 11810
Refrain from using address-harvesting software to send unsolicited commercial e-mails., CC ID: 00298
Refrain from sending unsolicited commercial electronic messages to nonexistent electronic addresses., CC ID: 00299
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy., CC ID: 00300
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
the specified message includes such information and complies with such conditions as is or are specified in the regulations, if any; and (PART IX Division 3 Section 44 (1)(c), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and (§ 44.(c), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether â (§ 43.(2)(b), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
Member States must ensure that free, unsolicited communications for direct marketing are prohibited without consent of the subscriber or when against the wishes of the subscriber who doesn't want to receive direct marketing, the option determined by national legislation. (Art 13.3, Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
Using automated calling systems without human intervention for direct marketing, sending advertising materials, conducting market surveys, or interactive business communication will be allowed only with the user's consent. This also applies to electronic communications by e-mail, facsimile, MM. or S… (§ 130.1 thru § 130.3, Italy Personal Data Protection Code)
The control system shall provide the capability to prevent both transmission and receipt of general purpose person-to-person messages. (9.5.3.1 ¶ 1, IEC 62443-3-3: Industrial communication networks â Network and system security â Part 3-3: System security requirements and security levels, Edition 1)
Good privacy management is supported by the practice of effectively managing marketing lists and third-party vendor relationships. (§ 4.5 (Privacy Best Practices), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
Online advertisers should accurately describe their business practices with regard to their use of unsolicited e-mail to customers. (Principle III.C, BBBOnline Code of Online Business Practices)
Organizational records and documents should be examined to ensure spam protection software is installed on servers, workstations, mobile devices, and entry and exit points to the system; the spam protection software checks unsolicited e-mail messages; the software is automatically updated; the syste… (SI-8, SI-8(1), SI-8(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)