S 3.32 User training on Outlook security mechanisms
Initiation responsibility: Head of IT, IT Security Officer
Implementation responsibility: IT Security Officer, Head of IT
Outlook users must be sensitised regularly for existing and new threats in connection with the use of Outlook. For example, this includes Phishing and Vishing.
Furthermore, it is recommendable to provide the users with sufficient training on Microsoft Outlook. User training on Microsoft Outlook should cover the following subjects, amongst other things:
- Overview: Access control for a Microsoft Exchange server
- Overview: Access control for mailboxes
- Recognition of certificates (What is the significance of cross-certificates?)
- Authentication at the web interface, as well as its strengths and weaknesses
- Securely handling internet certificates
- Forcing the protection of communications: port encryption and SSL utilisation
- Restrictions for executing active content in Microsoft Outlook
- Email encryption and email signatures
- Storing user profiles
- Handling offline folders
- Security settings for personal folders (encryption)
- Threats when using the out-of-office functionality
- Handling mailing lists
- Handling representation authorisations ("Send as")
- Codes of conduct for using the Outlook Web Access (if this functionality is provided at all)
- Handling Outlook forms
This list is only an excerpt of the required security subjects and must be adapted and expanded in an organisation-specific manner. It is important that the users are instructed on how to handle all relevant security mechanisms of Microsoft Outlook. However, the users must additionally be familiar with the valid security policies of the organisation so that these can be implemented accordingly when using the security mechanisms of Microsoft Outlook.
Review questions:
- Did all users receive training regarding their work with Microsoft Outlook?
- Are all employees made aware of possible threats related to the use of Outlook?
- Did the users receive instructions on how to handle all relevant security mechanisms of Microsoft Outlook?