|Reference # ITD-SEC-3.2 Issue 2||Issue Date: 6/14/2012|
|Issue #: 3.2|
Table of Contents
Electronic communication includes any communication that is transmitted, acknowledged, stored, downloaded, displayed, or printed by an electronic communication system or service. Given the ubiquitous nature of electronic communication, critical to Commonwealth agencies’ and organizations’ ability to provide efficient constituent support, this policy focuses on the specific category of electronic messaging (i.e., email, instant messaging, etc.) communication and related threats that, if left unmitigated, may lead to a loss of data and/or system integrity, confidentiality, or availability.
All agencies and entities governed by the overarching Enterprise Information Security Policy must adhere to requirements of this supporting policy.
- Executive Department Agencies,  in addition to any agency or third party that connects to the Commonwealth’s wide area network (MAGNet), must comply with this policy.
- Executive Department Agencies are required to ensure compliance by any business partner that accesses Executive Department IT Resources or shared environments, e.g. MAGNet; and
- Executive Department Agencies are required to ensure compliance by third parties in any aspect of the process of providing goods and services to their agency. These include, but are not limited to, electronic data collection, storage, processing, disposal, dissemination and maintenance. Third parties that interact in any way with Executive Department Commonwealth IT Resources, e.g. MAGNet, are required to comply with this policy.
Other Commonwealth entities are encouraged to adopt, at a minimum, security requirements in accordance with this Enterprise Electronic Messaging Communications Security Policy or a more stringent agency policy that addresses agency specific and business related directives, laws, and regulations.
Commonwealth agencies and organizations must continue to strive for electronic messaging communications reliability, availability, integrity, and performance by supporting enterprise and local agency efforts including, but not limited to, the following:
1. Enterprise Filtering
EOTSS currently filters Internet - MAGNet inbound and outbound email as follows:
1.1. Known Viruses: subject line, message body, and attachment(s). Emails containing files with extensions, which are affiliated with a virus, are discarded. Users must be aware that emails containing executable files may be discarded.
1.2. Content Spam: Including subject line and/or specific spam content requested by an agency or otherwise identified as spam.
1.3. RFC 2822 (see: http://www.faqs.org/rfcs/rfc2822.html): a standard specifying acceptable syntax for text messages sent between computer users, within the framework of "electronic mail” messages.
1.4. Message Segmentation: All multi-part MIME messages will be blocked at the gateway. Message segmentation allows a large message to be divided up into smaller messages for transmission. It is to be noted that these smaller messages may hide viruses and other malicious software. Therefore, message segmentation is banned.
Please Note: MAGNet-inbound Internet sourced email - including replies back to a MAGNet mail account message source - are scanned by filtering software.
2. Commonwealth Agency & Organization Filtering
Non-MassMail Agencies may continue to deploy local content filtering technology that screens agency-specific transmission of email, subject to restrictive attributes defined by each agency. Agencies that have documented that they have adopted and distributed to all new and current employees an acceptable use policy that states that employees have no expectation of privacy in their workplace email are empowered to content filter outgoing employee email with minimal risk of violating employees’ privacy rights. Even in agencies that have such documentation, content filtering incoming email poses the risk of violating outside parties’ rights under the Commonwealth’s Privacy Law, Mass. Gen. L. ch. 214, and Wiretap Statute, Mass. Gen. L. ch. 272, sec. 99. Agency counsel should consult EOTSS' General Counsel prior to advising their clients that they may content filter incoming electronic mail.
3. Private Email Accounts
Use of private email (i.e., a commercial email system or service, separate and apart from an agency's primary email system) and "Public" Instant messaging (IM) have been primary sources of unauthorized intrusion (e.g., virus instantiation) and other instances of malware. Therefore, users who access and utilize private email and “Public” Instant messaging do so with the following understanding:
3.1. Private email or “Public” Instant messaging is not an authorized or official method of communicating business related information. Users are required to utilize their agency’s designated email or IM technology, e.g. MassMail, Lync for any official business communications that are transmitted via email or IM.
3.2. Users are prohibited from downloading or sending attachments using their private email or IM accounts from inside MAGNet.
3.3. EOTSS reserves the right to log and monitor all traffic that enters or leaves Commonwealth managed networks regardless of whether the traffic is personal in nature or not. Therefore; access and use of a private email or public IM system from a Commonwealth ITR or from within a Commonwealth Managed network should not be considered private.
3.4. Users who are identified as being a source of unauthorized intrusion may be disconnected from the network. Re-establishing connection will be at the discretion of the Enterprise Security Office in consultation with the user’s Senior Management.
4. Exception Requests
If an agency or organization determines that the use of private email and/or Instant Messaging is critical to its mission, the agency head or their designee must request an exception to this policy. Such a request must document reasons the exception is required, under what circumstances, duration, and access controls that will ensure that the agency has taken sufficient steps to mitigate or isolate the associated threat, (e.g., how email account users are prevented from simultaneous access to the agency’s default email and private email accounts). Documented requests for exceptions must be submitted to EOTSS and the Enterprise Security Board for review and approval prior to agency implementation.
5. Additional Legal Issues
All electronic messages created or received by state employees using the Commonwealth’s information technology resources are public record under the Commonwealth’s Public Records Law, Mass. Gen. L. ch. 66, sec. 10, and most are therefore subject to public scrutiny. All such electronic messages are also records subject to the Commonwealth’s Records Conservation Law, Mass. Gen. L. ch. 30, sec. 42, and must be disposed of, or retained according to the agency’s disposition schedule and the Commonwealth’s Records in Common disposition schedule. The majority of such messages are also potentially discoverable communications for purposes of litigation. Thus Agency heads and organization authorities must ensure that all electronic communications, are retained, disposed of, and disclosed, in compliance with the Public Records Law, the Records Conservation Law and the relevant discovery rules.
Agencies within the Executive Department must comply with this Enterprise Electronic Messaging Communications Security Policy. All Commonwealth agencies and organizations must comply with this policy as a prerequisite for access to and/or participation within MAGNet, and/or to use information resources managed by EOTSS. Vendors, who seek to work with any agency or organization within the Commonwealth of Massachusetts, must comply with this and all the Commonwealth’s Enterprise Security Policies, Standards and Procedures as published by EOTSS.
All agencies and entities governed by the overarching Enterprise Information Security Policy are subject to the referenced roles and responsibilities in addition to those specifically stated within this supporting policy. The roles and responsibilities associated with implementation and compliance with this policy follow:
Assistant Secretary for Information Technology
- The Assistant Secretary for Information Technology is responsible for the approval and adoption of the Enterprise Electronic Messaging Communications Security Policy and its revisions.
Secretariat Chief Information Officer (SCIO) and Agency Head
- Agency Heads and/or their designees are responsible for ensuring that employees, contractors, and/or business partners that may be affected, are aware of this policy.
Secretariat or Agency Information Security Officer (ISO)
- Ensure that the goals and requirements of the Enterprise Electronic Messaging Communications Security Policy are implemented and met.
Enterprise Security Board (ESB)
- Recommend revisions and updates to this policy and related standards.
The Executive Office of Technology Services and Security (EOTSS)
- After review of any related recommendations of the Enterprise Security Board, issue revisions and updates to this policy and related standards.
- Commonwealth agency and organization users must not introduce electronic messages, which may damage the local or enterprise (MAGNet) environment. Items, which could be considered a detriment, include, but are not limited to viruses, distributed denial of service attacks, Trojans, Worms, and/or personal electronic communications contributing to network congestion.
- If the user is unsure as to the identity of the sender of an email, the recipient should determine if the email should be deleted without opening it (it is advisable to do so relative to protecting the physical and digital assets of the Commonwealth). The recipient may telephone the sender to ask if the email is legitimate. The recipient may also consult CommonHelp for guidance.
- The user should have their email configured so that an email is not automatically opened when a previous email is closed, deleted or moved.
Enterprise Access Control Security Policies and Standards
Key terms used in this policy have been provided below for your convenience. For a full list of terms please refer to the Information Technology Division’s web site where a full glossary of Commonwealth Specific Terms is maintained.
Agency – A department, bureau, commission, board, office, council, or other entity in the executive department of government, created by Massachusetts constitution or statue.
Business Partner – A generic term referring to both contracted business partners and statutory business partners. (See definitions for “Contracted Business Partner” and “Statutory Business Partner” below).
Employees – Agency’s employees or individuals under contract with the agency to provide services and paid directly by the agency whose work is controlled and directed by the agency.
Information Technology (IT) Resources – The Commonwealth’s computers, printers, and other peripherals, programs, local and wide area networks, access to the Internet when provided by the Commonwealth, and remote access methods including VPN.
MAGNet – Commonwealth’s Wide Area Computer Network.
User – Any workforce member (or computer performing automated tasks) with a legitimate reason and purpose to use Commonwealth IT resources.
|Date||Action||Effective Date||Next Review Date|
|6/14/2012||Reference #: ITD-SEC-3.2 Issue 2 Enterprise Electronic Messaging Communications Security Policy Published||6/14/2012||6/14/2013|
|12/16/15||Accessibility remediation - no content changes||2/18/16||1/1/17|