Email Security Policy

1.0 PURPOSE

1.1 The purpose of this policy is to detail the company’s usage guidelines for the email system. This policy will help the company reduce risk of an email-related security incident, foster good business communications both internal and external to the company, and provide for consistent and professional application of the company’s email principles.

2.0 SCOPE

2.1 This policy applies to all subsidiaries, agents, and or consultants at each of the companies who utilize and/or support company IT assets, systems and information. References in this policy to the “Company” shall mean the company at which you are employed or for which you provide services.

3.0 DEFINITIONS

3.1 None.

4.0 RESPONSIBILITY

4.1 Company Employees

4.1.1 Read and comply with this policy.

4.1.2 Protect the confidentiality, integrity, and availability of Company electronic information.

4.1.3 When contracting with an external IT supplier, help ensure the supplier meets contractual obligations to protect and manage Company IT assets.

4.2 Information Security

4.2.1 Review and update the policy as needed.

4.3 Crowley’s Vendor Management organization

4.3.1 Protect the confidentiality, integrity, and availability of Crowley’s electronic information.

4.3.2 Ensure completion of IT managed services’ Statements of Work.

5.0 OBJECTIVE

5.1 Email is an essential component of business communication; however it presents a particular set of challenges due to its potential to introduce a security threat to the network. Users are expected to use common sense when sending and receiving email from company accounts, and this policy outlines expectations for appropriate, safe, and effective email use. The company will use its best effort to administer the company’s email system in a manner that allows the user to both be productive while
working as well as reduce the risk of an email-related security incident.

6.0 DEFINITIONS

6.1 Auto Responder: An email function that sends a predetermined response to anyone who sends an email
to a certain address. Often used by employees who will not have access to email for an extended period of time, to notify senders of their absence.

6.2 Certificate: Also called a Digital Certificate. A file that confirms the identity of an entity, such as a
company or person. Often used in VPN and encryption management to establish trust of the remote entity.

6.3 Data Leakage: Also called Data Loss, data leakage refers to data or intellectual property that is pilfered in
small amounts or otherwise removed from the network or computer systems. Data leakage is sometimes malicious and sometimes inadvertent by users with good intentions.

6.4 Email: Short for electronic mail, email refers to electronic letters and other communication sent between
networked computer users, either within a company or between companies.

6.5 Encryption: The process of encoding data with an algorithm so that it is unintelligible and secure without
the key. Used to protect data during transmission or while stored.

6.6 Mobile Device: A portable device that can be used for certain applications and data storage. Examples
are PDAs or Smartphones.

6.7 Password: A sequence of characters that is used to authenticate a user to a file, computer, network, or
other device. Also known as a passphrase or passcode.

6.8 Spam: Unsolicited bulk email. Spam often includes advertisements, but can include malware, links to
infected websites, or other malicious or objectionable content.

6.9 Smartphone: A mobile telephone that offers additional applications, such as PDA functions and email.

6.10 Two Factor Authentication: A means of authenticating a user that utilizes two methods: something the
user has, and something the user knows. Examples are smart cards, tokens, or biometrics, in combination with a password.

7.0 POLICY/PROCEDURE

7.1 Sending Emails

7.1.1 Emails sent from a company email account must be addressed and sent carefully. Users
should keep in mind that the company loses any control of email once it is sent external to the company network.

7.1.2 Users must take extreme care when typing in addresses, particularly when email address auto-
complete features are enabled; using the reply all function; or using distribution lists in order to avoid inadvertent information disclosure to an unintended recipient.

7.2 E-mail Signatures & Auto-Responders

7.2.1 An email signature (contact information appended to the bottom of each outgoing email) is recommended for emails sent from the company email system. At a minimum, the signature should include the user’s:

A. Title
B. Company name
C. Phone number(s)
D. Fax number if applicable
E. URL for corporate website
The Corporate Standardized Email Signature Template can be found on C-link.

7.2.2 Email signatures may not include personal messages (political, humorous, etc.). The IT department is able to assist in email signature setup if necessary.

7.2.3 The company recommends the use of an auto-responder if the user will be out of the office for an entire business day or more. The auto-response should notify the sender that the user is out of the office, the date of the user’s return, and who the sender should contact if immediate
assistance is required.

7.3 Mass Emailing

7.3.1 The company makes the distinction between the sending of mass emails and the sending of
unsolicited email (spam). Mass emails may be useful for both sales and non-sales purposes
(such as when communicating with the company’s employees or customer base), and is allowed as the situation dictates. The sending of spam, on the other hand, is strictly prohibited.

7.3.2 It is the company’s intention to comply with applicable laws governing the sending of
mass emails. For this reason, as well as in order to be consistent with good business practices, the company requires that email sent to more than twenty (20) recipients external to the company have the following characteristics:

A. The email must contain instructions on how to unsubscribe from receiving future emails (a simple reply to this message with UNSUBSCRIBE in the subject line will do). Unsubscribe requests must be honored immediately.
B. The email must contain a subject line relevant to the content.
C. The email must contain contact information of the sender.
D. The email must contain no intentionally misleading information (including the email header), blind redirects, or deceptive links.

7.3.3 Emails sent to company employees, existing customers, or persons who have already inquired
about the company’s services are exempt from the above requirements.

7.4 Sending large emails

7.4.1 Email systems were not designed to transfer large files and, as such, emails should not contain
attachments of excessive file size. Users should limit email attachments to 30Mb or less. For external email systems, the company reserves the right to further limit this email attachment limitation.

7.4.2 Users should recognize the additive effect of large email attachments when sent to multiple
recipients, and use restraint when sending large files to more than one person.

7.5 Opening attachments

7.5.1 Users must use care when opening email attachments. Viruses, Trojans, and other malware can be easily delivered as an email attachment.

7.5.2 Users should:

A. Never open unexpected email attachments.
B. Never open email attachments from unknown sources.
C. Never click links within email messages unless he or she is certain of the link’s safety. It is often best to copy and paste the link into your web browser, or retype the URL, as specially-formatted emails can hide a malicious URL.

7.5.3 The company may use methods to block what it considers to be dangerous or emails or strip potentially harmful email attachments as it deems necessary.

7.6 Company ownership and business communications

7.6.1 Users should be advised that the company owns and maintains all legal rights to its email systems and network, and thus any email passing through these systems is owned by the company and it may be subject to use for purposes not be anticipated by the user. Keep in mind that email may be backed up, otherwise copied, retained, or used for legal, disciplinary, or
other reasons. Additionally, the user should be advised that email sent to or from certain public or governmental entities may be considered public record.

7.6.2 Users are asked to recognize that email sent from a company account reflects on the company, and, as such, email must be used with professionalism and courtesy. The company uses email as an important communication medium for business operations. Users of the corporate email system are expected to check and respond to email in a consistent and timely manner.

7.6.3 Users must use the corporate email system for all business-related email. Users are prohibited from sending business email from a non-company-provided email account.

7.7 Personal Use

7.7.1 Users are required to use a non-company-provided (personal) email account for all nonbusiness communications. The corporate email system is for corporate communications.

7.7.2 Users must follow applicable policies regarding the access of non-company-provided accounts from the company network.

7.8 Monitoring and privacy

7.8.1 Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to: transmission and storage of files, data, and messages. The company reserves the right to monitor any and all use of the computer network. To ensure compliance with company policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media.

7.9 Sensitive data

7.9.1 Sensitive data should be sent via an encrypted attachment and not in plain text within an email. Email is an insecure means of communication. Users should think of email as they would a postcard, which, like email, can be intercepted and read on the way to its intended recipient.

7.9.2 The company supports encryption for outbound email using Transport Layered Security (TLS) for all remote connections and supports TLS encryption for inbound Simple Mail Transfer Protocol (SMTP) sessions.
Additional encryption methods are available for attachments within the email. Contact
Information Security for assistance with this.

7.9.3 Passwords used to access email accounts must be kept confidential and used in adherence with the Password Policy. At the discretion of the Chief Technology Officer(CTO), the company may further secure email with certificates, two factor authentication, or another security
mechanism.

7.10 Data leakage

7.10.1 Unauthorized emailing of company data, confidential or otherwise, to external email accounts for saving this data external to company systems is prohibited. If a user needs access to information from external systems (such as from home or while traveling), that user should notify his or her supervisor rather than emailing the data to a personal account or otherwise removing it from company systems.

7.10.2 The company may employ data loss prevention techniques to protect against leakage of confidential data at the discretion of the CTO or their designee.

7.11 Company administration of e-mail

7.11.1 Filtering:

A. The company will filter email at the Internet gateway and/or the mail server, in an attempt to filter out spam, viruses, or other messages that may be deemed a) contrary to this policy, or b) a potential risk to the company’s IT security. No method of email filtering is 100% effective, so the user is asked additionally to be cognizant of this policy
and use common sense when opening emails.
B. Many email and/or anti-malware programs will identify and quarantine emails that it deems suspicious. This functionality may or may not be used at the discretion of the IT Security Manager, or their designee.
C. Users must understand that the company has little control over the contents of inbound email, and that this email may contain material that the user finds offensive. If unsolicited email becomes a problem, the company may attempt to reduce the amount of this email that the users receive, however no solution will be 100% effective. The best course of action is to not open emails that, in the user’s opinion, seem suspicious. If the user is particularly concerned about an email, or believes that it contains illegal content, he or she should notify his or her supervisor.

7.11.2 Storage Limits & Email Retention:

A. Email storage may be provided on company servers or other devices. The email account storage size must be limited to what is reasonable for each employee, at the
determination of the CTO or their designee. Storage limits may vary by employee or position within the company.
B. Email should be retained and backed up in accordance with the applicable
policies. Unless otherwise indicated, for the purposes of backup and retention, email should be considered operational data.
C. Users are encouraged to delete email periodically when the email is no longer needed for business purposes. The goal of this policy is to keep the size of the user’s email account manageable, and reduce the burden on the company to store and backup unnecessary email messages.
D. Users are strictly forbidden from deleting email in an attempt to hide a violation of this or another company policy. Further, email must not be deleted when there is an active investigation or litigation where that email may be relevant.

7.11.3 Email addresses must be constructed in a standard format in order to maintain consistency
across the company. The recommended format is:
∙ Domainname@companydomain.com
∙ Firstname.lastname@companydomain.com (Alias)
∙ Domainname@Crowley365,mail.onmicromsoft.com (Alias)

7.11.4 Aliases

A. Often the use of an email alias, which is a generic address that forwards email to a user account, is a good idea when the email address needs to be in the public domain, such as on the Internet. Aliases reduce the exposure of unnecessary information, such as the address format for company email, as well as (often) the
names of company employees who handle certain functions. Keeping this information private can decrease risk by reducing the chances of a social engineering attack. A
few examples of commonly used email aliases are:
∙ sales@companydomain.com
∙ techsupport@companydomain.com
∙ pr@companydomain.com
∙ info@companydomain.com
B. The company may or may not use email aliases, as deemed appropriate by the CTO or
their designee and/or executive team. Aliases may be used inconsistently, meaning: the company may decide that aliases are appropriate in some situations but not others depending on the perceived level of risk.

7.11.5 Account activation:
A. Email accounts will be set up for each user determined to have a business need to send
and receive company email.
B. Accounts will be set up at the time a new hire starts with the company, or when a promotion or change in work responsibilities for an existing employee creates the need to
send and receive email.

7.11.6 Account termination:
A. When a user leaves the company, or his or her email access is officially terminated for
another reason, the company will disable the user’s access to the account by password change, disabling the account, or another method.
The company is under no obligation to block the account from receiving email, and may continue to forward inbound email sent to that account to another user, or set up an auto-response to notify the sender that the company no longer employs the user.

7.12 Prohibited actions

7.12.1 The following actions shall constitute unacceptable use of the corporate email system.
This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable. The user may not use the corporate email system to:

A. Send any information that is illegal under applicable laws.
B. Access another user’s email account without a) the knowledge or permission of that user – which should only occur in extreme circumstances, or b) the approval of company executives in the case of an investigation, or c) when such access constitutes a function of the employee’s normal job responsibilities.
C. Send any emails that may cause embarrassment, damage to reputation, or other harm to the company.
D. Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, harassing, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
E. Send emails that cause disruption to the workplace environment or create a hostile workplace. This includes sending emails that are intentionally inflammatory, or that include information not conducive to a professional working atmosphere.
F. Make fraudulent offers for products or services.
G. Attempt to impersonate another person or forge an email header.
H. Send spam, solicitations, chain letters, or pyramid schemes.
I. Knowingly misrepresent the company’s capabilities, business practices, warranties, pricing, or policies.
J. Conduct non-company-related business.

The company may take steps to report and prosecute violations of this policy, in accordance with company standards and applicable laws.

8.0 RELATED DOCUMENTATION

8.1 CPP-IT-006 Information Security Policy
8.2 CPP-IT-015 Acceptable Use Policy

Effective Date: 1/19/2018 –  CPP-IT-009