Communications Security

Applications that communicate to end-users do so from an organisational domain and organisational email account.

Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received in email programs.

IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and transmission of spam and malicious mails. Mails should be revocable on managed servers and supported endpoints. Links in emails should be validated to not be malicious. Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.

Automatic forwarding of email to external addresses is denied-by-default.

All data in transit is transferred over encrypted connections, using the encrypted versions of protocols or encapsulation of plaintext protocols over encrypted connections.