Download the Email Access Security Advisory doc format of    Email Access Security Advisory

 

FROM:             Kevin Burns, Chief Information Security Officer, Commonwealth of Massachusetts

DATE:              October 9, 2013

RE:                  Advisory Memorandum – Email Access

The Commonwealth Chief Information Security Officer (CISO) is issuing this Security Advisory Memorandum in response to questions raised relative to the practices of auto-forwarding and/or manually forwarding email pertaining to official Commonwealth business from Commonwealth email accounts to personal email accounts.

This advisory serves as a reminder that forwarding Commonwealth email pertaining to official Commonwealth business to personal email accounts is a violation of the Commonwealth Enterprise Security Policies and Standards and therefore is prohibited. Please note the following excerpts from existing policies and standards that prohibit such use:

Enterprise Electronic Communications Policy (Section 3)

Use of private email (i.e., a commercial email system or service, separate and apart from an agency's primary email system) and "Public" Instant messaging (IM) have been primary sources of unauthorized intrusion (e.g., virus instantiation) and other instances of malware.  Therefore, users who access and utilize private email and “Public” Instant messaging do so with the following understanding:

  • Private email or “Public” Instant messaging is not an authorized or official method of communicating business related information.  Users are required to utilize their agency’s designated email or IM technology, e.g. MassMail, Lync for any official business communications that are transmitted via email or IM.

Enterprise Data Classification Standards (Section B)

Also, any data that is classified as having high sensitivity that will be transported between agencies or externally to an environment outside of the Commonwealth's wide area network (MAGNet) must be encrypted and a log maintained with details of the transfer, including the date, the data description, the receiving agency, entity or individual and if the recipient is an agency or entity, the person who received it. 
Enterprise Communications and Operations Management Policy (Section 14)

Exchange of information: Agencies are required to maintain the security of information and software exchanged within an organization and with any external entity.

Further, utilizing personal email accounts for business purposes complicates processes such as Freedom of Information Act requests and compliance reviews.

Business Need

The Commonwealth’s Chief Information Security Officer recognizes that there is a need for individuals to have remote access to Commonwealth systems and information.  To that end; there are four approved methods for accessing Commonwealth email content remotely:

  • ITD approved Business Partner Solutions:
    • Outlook Web Access
    • Blackberry Service Offering
    • ActiveSync Connectivity w/Signed User Agreement
    • Enterprise VPN Solution

Variance Requirement

Any request for a variance to allow an unauthorized manner of access must:

  • Be submitted to the ITD Security Office,
  • Include a documented plan which;
    • Articulates the reason for the request,
    • Enumerates the changes required for compliance,
    • Details what alternative compensating controls are proposed that will ensure all the requisite control objective(s) of the policy and standards will be met.

These requests will be processed according to the requirements of Enterprise Policies for variance requests.

Concerns regarding this advisory can be sent to: standards@state.ma.us as well as to the CISO’s office at kevin.burns@state.ma.us.