If I were to build an email security policy

If I were to build a security policy for my company, I would start with the email security policy. Emails can sometimes be a company’s most vulnerable entry, as seen in Project Aurora by Google, Ubiquiti Networks, Save the Children, the City of Saskatoon, and just to mention a few. Given my series on Malware Analysis and Phishing, a common point of entry, was email, so I would go on that first, assuming I have 90 days to figure out a security policy.

My first cause of action would be to analyze our business model, communication channels, and risk factors; including our risk tolerance, risk acceptance level, while ensuring that this in no way becomes redundant or difficult for end users to navigate as sometimes, too much security especially when rolled out in such as short time can be too much for end users who may have already gotten used to the system, and the last thing any business wants is to be slower in functionality (another longer / more stakeholder friendly way of looking at the risks involved). Of course FURPS would be taken into account, as i am assuming that i am building a system from start and would have to meet with subject matter experts on my system analysis progress. Assuming I have 90 days to start building my security policies this would be my email security policy for my company.


Email Security Policy

Afukam Security

Effective date 2025-06-12

Last reviewed: 2025-09-16

Owner : IT / Security department

Purpose

This email security policy establishes requirements to ensure secure use of email systems within Afukam security . It is designed to implement the NIST.SP.800-177rl, NIST-800-45.ver2, ISO/IEC 27002:2022 , ISO/IEC 27001, and the SANS Institute guide to email use and phishing awareness.

Scope

This policy applies to all :

  • Employees, Third-party users, Stakeholders(external, internal, operational and executive) and Contractors

  • Personal or company-owned / managed devices trying to access cooperate email networks

  • All communications sent or received through organization’s email infrastructure

Policy Details

Data Sovereignty:

All materials stored or received using Afukam’s IT assets are the exclusive property of Afukam.

Afukam retains the right to monitor , access , audit and disclose such materials without prior notice to ensure compliance with applicable laws, regulatory requirements and organizational security policies.

Users are responsible for ensuring that their use of company systems complies with established security policies and standards.

Email Security Measures

Vigilance and proper understanding of social engineering :

All incoming emails undergo filtering and checks for malicious software , and emails with malware will be isolated for review. Malware can cause business can in a lot of ways cause business disruptions. All suspected threats must be reported to IT.

Social engineering tactics often used by threat actors, can slow down business operations and hence should be taken serious, any suspected social engineering attempt should be forwarded to the IT department for further review. Please be aware that users will be periodically trained on social engineering tactics used by actors, following industry and regulatory trends.

Blocking malicious senders: IP addresses and email domains known to be malicious will automatically be blocked, and misbehaving accounts will be investigated and deactivated.

Proper use of email

Email should be used solely for business-related purposes and must mirror professionalism.

All attachments are usually scanned for malware.

Prohibited activities:

  • Using email for any form of harassment

  • Using email for personal matters

  • Violating copyright laws

  • Sending emails without proper authorization from another person’s account

  • Cat-fishing with email

  • Disabling security features

  • Distributing malware

  • Engaging in spam like activities

Confidentiality

Encryption:

Any sensitive information sent outside the company’s network must be encrypted. Real password or keys should never be sent over emails

Security precautions:

Emails aren’t as secure so sensitive information should not be emailed to their party. See encryption clause.

Representation:

Unless authorized to do so, users should avoid giving the impression that they are speaking on behalf of the company

Content restrictions:

Employees must keep all company related documents private, also avoiding or sending files that could be a legal liability or be a PR nightmare to the company.

Availability

Email retention period : Emails will be retained for a 12 month period, after which they will be wiped out from the system.

And that is a wrap for the email security policies guys.

0
Subscribe to my newsletter

Read articles from Chiafukamnanya Nwanonenyi directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Chiafukamnanya Nwanonenyi
Chiafukamnanya Nwanonenyi

Red team + Blue team + Writing