Library and Archives Canada
Symbol of the Government of Canada

Institutional links

Government

Previous | Table of Contents | Next

Email Management Guidelines

5. Institutions must ensure that their email records are maintained, protected and preserved in accordance with appropriate retention schedules

Individual institutions must ensure that information of enduring value to the Government of Canada or to Canadians is available for current and future use. Institutions should conduct a risk assessment to determine the appropriate retention schedules for various types of information - the key being that the content of the record is what determines how long it should be kept - not the technology or medium used to create it. Users should refer to the institution's classification structure and related retention schedules in order to ensure that messages are stored in the appropriate repository, for the appropriate period of time.

Essential records must be safeguarded. Records should be protected by appropriate network security and physical security measures. They should also be protected to ensure their usability, including the usability of encrypted information, over time and through technological change. It is vitally important to create, maintain and preserve email system and storage system documentation for effective disaster recovery, and to substantiate the authenticity of email messages involved in judicial, audit or ATIP proceedings. A key requirement is the ability for institutions to protect email messages from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations. It may be necessary on occasion to apply hold orders, to delay disposition of records that may be required for legal purposes.

Expected Outcome

In any given federal government institution, the following benchmarks will have been achieved:

  • Information contained in email that is of enduring value to the Government of Canada or to Canadians will be reliably available for current and future use.
  • It will be possible to ensure the usability of email, including the usability of encrypted information, over time and through technological change.
  • Retention schedules will be known by email users and correctly applied based on the content of the email.
  • Email messages will be reliably protected from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations.

5.1. Email systems should not be subjected to indiscriminate purges

Email systems should not be subjected to periodic and indiscriminate purges of messages, whether by manual or by automated means, whether by users or by network or system administrators. Messages should only be deleted or disposed of in accordance with institution-approved disposition schedules and must not be disposed of simply because the mailbox is "full" or because the messages have aged beyond some arbitrary time limit.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators

5.2 Manage email records to allow access by authorized staff

To allow the institution to continue to do its work, email management systems and programs should provide the flexibility to allow authorized staff to obtain access to email when the holder of the email account is absent.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Operational Managers

5.3. Remove encryption before leaving an institution

Encryption should be removed from email messages and attachments before a user leaves an institution.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users

5.4. Remove encryption before transferring email to Library and Archives Canada

Encryption should be removed from email messages and attachments before they are transferred to Library and Archives Canada. The user should decrypt the message if he or she is still with the organization at the time. Otherwise, the operational manager responsible for the part of the organization where the message was produced should decrypt the message. In the latter instance, the advice of an information management specialist and the assistance of a network or system administrator may be required. In the absence of the operational manager or the user, the information management specialist should have the authority to decrypt the message, with the assistance of a network or system administrator.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Information Management Specialists
  • Operational Managers

5.5. Provide security for networks that support email

Email programs and systems should be supported by networks that are protected by standard technologies such as firewalls, and protection against threats such as those listed below (note that the following list is not exhaustive):

  • Unauthorized access
  • Viruses, worms, Trojan horses, ActiveX and Java applets
  • Spam
  • Spyware, adware and pop-ups
  • Other invasive threats as may arise from time to time

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators

5.6. Use passwords, change them regularly and keep them secret

Network or system administrators should set up password systems and ensure that users comply with password policies. An important first step it to protect password files themselves. To do so, administrators should first change the system or application manufacturer's default administration password (if any). These default passwords are widely known and easily exploited by hackers to gain access to the hundreds or thousands of passwords used in institution.

Users should select passwords that are difficult to guess, (avoiding names of one's children, pets, favourite local sports teams, local celebrities, etc.). Passwords should be consistent with institution-approved password standards and attributes. Users should also keep their passwords secret, and change them on schedule.

Suggestions on Improving Password Security
From the Canadian Handbook on Information Technology Security - section 16.1.1 - Passwords
Available from Canada's Communications Security Establishment
Password generators If users are not allowed to generate their own passwords, they cannot pick easy to-guess passwords. Some generators create only pronounceable non-words to help users remember them. However, users tend to write down hard-to remember passwords.
Pass-phrases. The use of a short phrase rather than a single word may improve passwords. The phrase is normally easier for the user to remember, and the result may be more secure provided that obvious phrases are avoided.
Limits on log-in attempts Many operating systems can be configured to lock a user ID after a set number of failed log-in attempts. This helps to prevent guessing of passwords.
Password attributes Users can be instructed, or the IT system can force them, to select passwords (1) with a certain minimum length, (2) with special characters, (3) that are unrelated to their user ID, or (4) to pick passwords which are not in an on-line dictionary. This makes passwords more difficult to guess (but more likely to be written down).
Changing passwords Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into IT systems more difficult. Too frequent changes, however, can be irritating to users.
Technical protection of the password file. Access control and one-way encryption can be used to protect the password file itself. However, it should not be forgotten that all methods of protection can be beaten if the level of attack is of sufficient sophistication.

From the (Source: www.cse-cst.gc.ca/documents/publications/itsg-csti/
mg9-eng.pdf
)

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators

5.7. Protect the system against loss or damage

Email systems and the networks which support them should be protected from loss or damage from a variety of potential causes such as those listed below (note that the following list is not exhaustive:

  • Physical threats to buildings and computer facilities
  • Natural disasters and environmental threats
  • Computer hardware and software failures
  • Media vulnerabilities
  • Communications vulnerabilities
  • Lack of documentation or loss of documentation
  • Human error
  • Other threats as may arise from time to time

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.8. Use the appropriate security classification

When creating, forwarding or storing email messages of a sensitive, protected or secret nature, users should ensure that the security classification of the message is not greater than the security classification of the system or repository used to create, send or store it.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users

5.9. Set up timely and mandatory processes to create, delete and suspend email accounts

Email programs and systems should have processes in place to react on a timely basis to create an account when an employee or contractor arrives, delete the account when the individual leaves the institution or when, for other legitimate reasons, it is necessary to freeze or suspend the account.

These processes should describe what employees, managers, executives, network administrators and information security specialists should do in a number of different circumstances (and how quickly they should act).

Timely does not necessarily mean immediately. In the case of an employee who is transitioning from one institution to another, it may be appropriate to keep the user's account active until a new account is opened at the destination. In such cases, an information security specialist should be consulted on the most appropriate course of action.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Operational Managers

5.10. Control access rights to email accounts and folders

Access to information and records in email accounts and folders should be restricted to those who need it in order to do their work.

Most individuals with authorized access to their own individual mailbox should have the ability to create, edit and delete messages, and add them to a folder.

Ability to read, mark or "send on behalf of" or add messages to folders may be delegated by a user to one or more co-workers within his or her working group. Rules should be established to govern such delegation.

Authorized individuals may be given read-only access to files in a folder. To reduce the risk of loss of important records or information, only a very restricted number of individuals should have the ability to delete messages from a folder.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators

5.11. Use message protection and authentication controls

Email management programs and systems should provide message protection and authentication controls to prevent users and administrators from changing a message once it has been sent to at least one recipient, in order to facilitate authentication and version control.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators

5.12. Make regular and consistent backups for disaster recovery

Email management programs or systems should provide for periodic backups, which should be performed on a consistent basis, as required, to meet the business needs of the organization.

  • Backups should be verified to ensure that they have worked properly.
  • Backups should be stored off-site
  • Backups should be recycled periodically according to an approved retention schedule applicable to the backup media
  • Backup procedures should be documented and managed to demonstrate compliance

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators

5.13. Use digital signatures when appropriate

Digital signatures should be used in correspondence or transactions when the recipient needs to know without doubt that the message is from a trusted sender, that the message has not been altered, and that the sender will not be able to deny having sent it.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Information Management Specialists
  • Operational Managers
  • Executives

5.14. Remove digital signatures that prevent access from email that is to be transferred to Library and Archives Canada

Digital signatures do not typically prevent access to content, context or structure of an email document. Digital signatures that could prevent such access should be removed from email messages that are to be transferred to Library and Archives Canada.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.15. Do not use scanned signatures to sign messages

Users should not use a scanned signature to sign an email message because the scanned signature does not authenticate the email. There is also a risk that the signature could be copied for use in forged documents.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users

5.16. Use Encryption where appropriate

Where appropriate, encryption may be used to increase the security of email messages and attachments in storage and during transmission.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Information Management Specialists
  • Operational Managers
  • Executives

5.17. Manage longer term near-line storage of email messages

If email messages are to be retained more than just temporarily, the email messages, metadata and attachments should be stored in an electronic information management system separate from the email system.

Messages, metadata and attachments should be kept together or, if these elements are stored separately, it should be possible to restore the relationship such that the authenticity and integrity of the elements and their relationship can be demonstrated in a court of law.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.18. Avoid storing paper print-outs of email messages if an electronic original exists

Storage of paper printouts of electronic information is not the preferred method of storing information in the GC. However, storage of paper printouts of email messages may be appropriate for smaller institutions with limited technological resources. Paper printouts may also be appropriate for storage of high-risk records.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Information Management Specialists

5.19. Protect email against damage to the storage medium

An email management program should provide protection against damage to the electronic storage medium, and against damage of the electronic information, and should take periodic measures of stored data to detect data loss.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.20. Protect email against obsolescence

An email management program should provide for protection of email messages from obsolescence of the software or hardware required to read email messages and attachments.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.21. Create, maintain and preserve email system documentation

Documentation supporting an email management system should be capable of providing reasonable proof of the condition of the system and of the authenticity and integrity of the relevant messages, metadata and attachments, at all relevant times.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.22. Keep email system documentation as a permanent record

System documentation should be considered a permanent government record and should be handled and stored accordingly.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.23. Allow different retention periods for emails and attachments

Whether the email management system keeps messages and attachments together or not, the system should be configured so as to have the ability to manage a message for which the retention period is just beginning, and an attachment for which the retention period is about to expire. Note that the retention period is always determined by the content of the information and not the medium by which is created, transmitted or stored. This is a complex problem and a difficult technical challenge. Consultation with legal counsel is strongly advised.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Network or System Administrators
  • Information Management Specialists

5.24. Apply hold orders, when necessary, to delay disposition

Email management programs and systems should have the capacity to identify email information or records slated for disposition, and, when necessary, isolate or otherwise protect them from well-intended, ill-intended, or accidental destruction.

Party or Parties Responsible for Implementing and/or Applying the Recommendation:

  • Users
  • Network or System Administrators
  • Information Management Specialists

Previous | Table of Contents | Next