S 2.123 Selection of a groupware or mail provider

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Head of IT

Before selecting a groupware or mail provider, the persons responsible should inform themselves of the regulations laid down by the provider, for example, whether and for how long processes and communication data are archived, whether upper limits have been set for the volume of incoming and outgoing e-mails, whether e-mails are filtered and, if so, according to which rules.

Organisations use services offered by groupware or mail providers when they do not want to establish and maintain their own systems or wish to increase the flexibility of their systems. In addition to outsourcing groupware services completely, it is also possible to use individual services of groupware providers, which are offered in the Internet in order to facilitate working in teams or when travelling, such as web mail services and group appointment calendars. Many employees also use such services privately. Thus, all employees should be aware of the fact that they may only use external groupware services approved by their organisation for official business. In general, it must be regulated for all employees in an understandable manner as to what aspects they have to take into account when using external groupware services.

The organisation should clarify in advance which security mechanisms are implemented by the groupware or mail provider and whether the internal security requirements are thus met. The persons responsible for security should make sure that the groupware or mail provider's servers are operated securely, i.e. that the requirements described in S 5.56 Secure operation of a mail server are fulfilled.

Providers store data relating to the user for accounting and billing purposes (name, address, user ID, and bank account data) as well as connection data. The content transmitted is also stored for a length of time that differs from provider to provider.

Users should ask their groupware or mail provider which data is stored and for how long before deletion. When selecting a provider in Germany, it should be taken into account that German providers are required to follow the relevant data privacy laws applying to the processing of this data.

Through the use of encryption, users can prevent providers from being able to read the contents of the information transferred by e-mail. For other groupware services such as address books or calendars, this is often not possible. Prior to using such services, users should inform themselves on how data is protected against unauthorised access in this case.

Large providers with their own large network have an advantage in that e-mails or other information exchanged exclusively within this network is less susceptible to manipulation than if it were forwarded via the Internet.

Many providers whose headquarters are located abroad route all e-mails and other information via that country. This aspect should be taken into consideration when determining the number of gateways via which the information is distributed, i.e. the number of parties who might be able to read the e-mail.

Review questions:

• Is it ensured that all security mechanisms required are implemented by the groupware or mail provider?
• Do all employees know what must be observed when using external groupware services, e.g. webmail services?