The information risks and security controls associated with email are the focus of this module, plus (to some extent) security issues relating to other forms of interpersonal or person-to-person communications such as the telephone, SMS/text messaging and chat-type applications such as Skype and Instant Messaging.
The module is intended to:
- Introduce email and messaging security, providing general context and background information to set the scene for this topic;
- Identify, characterize and assess email and messaging-related information risks to the organization (touching on those affecting them personally as individuals) – phishing, spam and email-borne malware being just three of many concerns in this area;
- Expand on the associated information security controls (such as email encryption) and other forms of risk treatment (such as not expressing in writing and communicating things that you might later regret i.e. risk avoidance);
- Stimulate everyone to think - and most of all act - more securely while using, managing and administering email and messaging.
Consider your learning objectives on this topic, perhaps including other business issues relating to email and messaging besides the most obvious information risk and security ones, such as:
- Corporate branding e.g. logos and signature blocks;
- Using professional/formal business language or casual/informal language as appropriate;
- Disclaimers etc. designed to remind users about security and limit liabilities;
- Network and system security, including availability (e.g. pre-arranging emergency communication mechanisms in case the normal systems fail for some reason);
- Filing, backing up, archiving and retrieving important messages (including the potential ‘discovery’ or search and seizure of pertinent evidence for court cases);
- Distraction and overload caused by some users’ obsessive need to read and respond rapidly to electronic messages;
- Reporting and responding to security incidents in this area.
Email security awareness
Awareness and training materials on the information security aspects of email and other forms of messaging, covering issues such as phishing and social engineering generally, spam, malware and inappropriate disclosure of sensitive information.