S 2.274 Deputisation arrangements for e-mail

Initiation responsibility: IT Security Officer, Supervisor

Implementation responsibility: User, Administrator

For the processing of e-mails, a substitute must be appointed for each employee just like for any other task. In the event of planned periods of absence, the employees should then set up the forwarding of e-mails or enable access to their mailbox for the respective substitute. In the event of spontaneous periods of absence, e.g. due to illness, other regulations can ensure the timely processing of e-mails. For example, the outer office of the respective department can inform the persons responsible for IT who, in turn, activate forwarding at the e-mail server. However, this is only permitted if it is clearly specified that e-mail may only be used officially. In addition, the users should be informed of the forwarding by e-mail. As soon as they are back in the office, they should inform the persons responsible for IT that forwarding can be unset.

As an alternative, task-related e-mail addresses could be generally set up for this purpose. In this case, it must also be ensured, of course, that incoming e-mails are processed promptly at all times.

Many e-mail clients offer the possibility to enable a service prior to a longer period of absence (Autoreply, under Outlook Out-of-office assistant) ensuring that, during the specified periods of absence, each sender of an e-mail receives a message stating that this recipient is temporarily not available. This has often advantages, but also means that too much information on the user and the organisation is disclosed widely to external parties.

Despite such an out-of-office message, however, it is not clear to the sender in most cases how their e-mail is dealt with. Then, the question arises as to whether the e-mail remains unprocessed for the time being or it was forwarded to a substitute.

Therefore, all users should ensure that neither the exact period of absence nor details regarding internal information of the organisation are passed on, for example telephone numbers or organisational units. Such information can be used for attacks via social engineering (see T 5.42 Social Engineering). The employees should be instructed on how out-of-office messages must be set up, for example using a corresponding intranet notice.

In any case, however, substitutes should be appointed for all longer periods of absence. External parties can also be informed using such mechanisms such as the out-of-office assistant so that they know that the e-mail was received and will be processed.

Note: Most e-mail programs with autoreply function also offer the possibility to control the out-of-office message according to criteria which the users themselves can define. Thus, it can be preset, for instance, that internal e-mail senders receive other replies than external senders. For this purpose, however, more profound knowledge of the e-mail client is required. If rules to control autoreply functions are thus to be used, the administrators should prepare this accordingly for the users.

Review questions:

© Federal Office for Information Security. All rights reserved.