Back

Configure e-mail security settings in accordance with organizational standards.


CONTROL ID
07055
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure e-mail to limit the number of recipients per message., CC ID: 07056


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • E-mail security (Critical components of information security 1) 2) q. v., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Make use of security features provided by some email systems to detect and prevent personal data from being sent out. (Annex A2: Email Security 28, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Access to non-approved webmail services is blocked. (Security Control: 0267; Revision: 7, Australian Government Information Security Manual, March 2021)
  • Email servers are configured to block, log and report emails with inappropriate protective markings. (Security Control: 0565; Revision: 4, Australian Government Information Security Manual, March 2021)
  • The intended recipients of any blocked inbound emails, and the sender of any blocked outbound emails, are notified. (Security Control: 1023; Revision: 5, Australian Government Information Security Manual, March 2021)
  • When users send email from outside their network, an authenticated and encrypted channel is configured to allow email to be routed via a centralised email gateway. (Security Control: 0571; Revision: 5, Australian Government Information Security Manual, March 2021)
  • Emails arriving via an external connection where the source address uses an internal domain name are blocked at the email gateway. (Security Control: 1502; Revision: 1, Australian Government Information Security Manual, March 2021)
  • MTA-STS, as defined in IETF RFC 8461, is enabled to prevent the transfer of unencrypted emails between complying servers. (Security Control: 1589; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Email distribution list software used by external senders is configured such that it does not break the validity of the sender's DKIM signature. (Security Control: 1027; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure. (Control: ISM-0572; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used. (Control: ISM-1089; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Protective marking tools do not automatically insert protective markings into emails. (Control: ISM-0271; Revision: 3, Australian Government Information Security Manual, June 2023)
  • The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified. (Control: ISM-1023; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Opportunistic TLS encryption is enabled on email servers that make incoming or outgoing email connections over public network infrastructure. (Control: ISM-0572; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Protective marking tools do not allow users replying to or forwarding emails to select protective markings lower than previously used. (Control: ISM-1089; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Protective marking tools do not automatically insert protective markings into emails. (Control: ISM-0271; Revision: 3, Australian Government Information Security Manual, September 2023)
  • The intended recipients of blocked inbound emails, and the senders of blocked outbound emails, are notified. (Control: ISM-1023; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The organization should ensure e-mails that contain Australian Eyes Only, Australian Government Access Only, or other nationality releasability marked information is being sent to named recipients only and not to distribution lists or groups, unless the nationality of all members can be confirmed. (Control: 0269, Australian Government Information Security Manual: Controls)
  • The organization must ensure automatically forwarded e-mails comply with the same requirements for blocking unmarked and outbound e-mails. (Control: 0566, Australian Government Information Security Manual: Controls)
  • The organization should use sender id or sender policy framework to verify all incoming e-mails authenticity. (Control: 1151, Australian Government Information Security Manual: Controls)
  • The organization must identify, mark, or block any incoming e-mails that fail the sender policy framework checks so it is visible to the e-mail recipient. (Control: 1152, Australian Government Information Security Manual: Controls)
  • The organization should configure the e-mail distribution list software used by external senders, so that it does not break the validity of the sender's domainkeys identified mail signature. (Control: 1027, Australian Government Information Security Manual: Controls)
  • The organization should view e-mail in plain text mode instead of HyperText Markup Language mode or Rich Text Format mode by blocking the client-side active content. (Control: 1172, Australian Government Information Security Manual: Controls)
  • Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement. (CIS Control 9: Email and Web Browser Protections, CIS Controls, V8)
  • Mobile code in e-mail must be prohibited from automatically executing and e-mail software must be configured to prompt the user before mobile code in attachments is executed. (DCMC-1(6), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Use the spam and spyware protection mechanisms to detect and take appropriate action on unsolicited messages and spyware/adware, respectively, transported by electronic mail, electronic mail attachments, Internet accesses, removable media (e.g. diskettes or compact disks) or other removable media as… (§ 5.10.4.3 ¶ 2(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Users' email accounts and Internet browsers are common access points used by threat actors to gain unauthorized access, obtain or compromise sensitive data, or initiate fraud. These attacks frequently take advantage of misconfigured applications, operating systems, and unpatched vulnerabilities by u… (Section 7 ¶ 1, Authentication and Access to Financial Institution Services and Systems)