S 3.76 Basic user training on how to use groupware and e-mail

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User

The users must be trained in the use of communication services and groupware applications such as e-mail before actually using them to avoid errors during operation and to ensure that they comply with the organisation's internal policies. In particular, they must be made aware of the potential risks and threats involved, and they must be informed which security safeguards they need to take when sending and receiving e-mails. It must be pointed out that any abnormal behaviour of the communication software must be reported.

Users must be informed that files whose contents may be considered offensive are not allowed to be sent, stored on information servers, or requested from information servers. In addition, the users must promise to follow the following rules when using communication services:

• The negligent or deliberate interruption of live operations must be avoided under all circumstances. In particular, it is prohibited to attempt to gain access to network services without authorisation (regardless of what type of network service), to change information available over the network, to interfere with the individual working environment of a network user, or to pass any information on the computers and personnel obtained accidentally to third parties.
• The spreading of information that is of no relevance to the general public is prohibited. The overloading of networks due to arbitrary and excessive dissemination of information should be avoided.
• The dissemination of redundant information should be avoided.

In addition, the users must be informed of the following points:

• When an e-mail is sent to several recipients at the same time, the recipients are often entered in the "To" or "CC" field. One advantage of this, among others, is that an e-mail only needs to be sent once and every recipient can see immediately who else has received the message. In many cases, though, it does not make sense to allow every recipient to see the entire list of recipients. This is not only a hassle for the recipients, but may also be undesirable for data privacy reasons, and the list could be used by spammers to send spam.
• As an alternative, it is possible to enter the e-mail addresses in the "BCC" field instead of the "CC" field or to use distribution lists. BCC stands for blind carbon copy, and the additional recipients entered in this field cannot be seen by the other recipients.
• Distribution lists must be checked regularly for up-to-dateness to ensure that e-mails are not delivered to the wrong recipients due to incorrect or not up-to-date distribution lists.
• The users should be familiar with all regulations of the organisation regarding communication, groupware, and e-mail. This includes, for example, when and how signatures (sender details) should be included in an e-mails.
• E-mail is used frequently to transport malware. Users should be informed about the risks of malware and its methods of distribution. They should also know that despite all security safeguards in an organisation it may happen that incoming e-mails or their attachments contain malware. For this reason, users should not open e-mails or attachments which appear dubious, i.e. no unexpected attachments, for example.

• To avoid overloads due to email, the employees must be informed of what is considered improper behaviour. They also need to be warned against participating in chain e-mails and subscribing to high-volume mailing lists.

In most groupware systems, the information is transported in unencrypted form over public lines and may be stored temporarily on a number of intermediate computers before it finally reaches its recipient. It is therefore easy to manipulate the information when in route. However, the sender of an e-mail is usually allowed to enter any e-mail address as the sender address (From field), which means you can only be sure of the authenticity of the sender after contacting the sender or when using digital signatures. When in doubt, the authenticity of the sender should be verified by checking with the sender or, even better, by using encryption and/or digital signatures. As a general rule, users should not rely on the authenticity of the sender information in an e-mail.

With e-mails a fast response is expected. The mailbox should therefore be checked several times per day. If absent for a longer period, then a substitute should be arranged, for example by having incoming e-mails forwarded to a substitute (see also S 2.274 Deputisation arrangements for e-mail).

Since it is impossible in many cases to determine which e-mail client a given e-mail recipient uses and which software and operating systems are used on the transportation route, the users should be aware that problems can arise during transmission and that recipients may have problems displaying messages and attachments. Such problems can occur especially when using unusual character sets or file formats, or when using outdated email software.

Users should also be aware of the fact that e-mails may not be received by the recipient for various reasons. Especially with time-critical or important e-mails the sender should not rely on an automatic receipt confirmation. A preferred alternative is an independent reply, e.g. in form of a short e-mail with an individually worded confirmation.

Deletion of e-mails

Users must be informed of the fact that an e-mail which they deleted via their mail application themselves has in most cases not been irretrievably deleted. Many mail programs do not delete e-mails immediately, but transfer them to special folders. Users must be instructed on how to completely delete e-mails on their clients.

In addition, e-mails may still be present on mail servers after being deleted on the clients. Many Internet providers and administrators archive incoming and outgoing e-mails. Many mail applications do not delete e-mails, but move them to a "Recycle Bin" area which also has to be erased.

The users must be aware of the fact that the confidentiality of e-mails can only be ensured by encryption and that they must not rely on "quick deletion" after receipt. The same applies to other groupware applications such as diary entries.

Publication of the rules

All rules and operating instructions for the use of groupware must be available to the employees at all times, e.g. in the intranet.

Review questions:

• Have the users been made aware of the threats and required safeguards concerning the use of groupware?