Government

Previous | Table of Contents | Next

Email Management Guidelines - Roadmap

5. Institutions must ensure that their email records are maintained, protected and preserved in accordance with appropriate retention schedules

Individual institutions must ensure that information of enduring value to the Government of Canada or to Canadians is available for current and future use. Institutions should conduct a risk assessment to determine the appropriate retention schedules for various types of information - the key being that the content of the record is what determines how long it should be kept - not the technology or medium used to create it. Users should refer to the institution's classification structure and related retention schedules in order to ensure that messages are stored in the appropriate repository, for the appropriate period of time.

Essential records must be safeguarded. Records should be protected by appropriate network security and physical security measures. They should also be protected to ensure their usability, including the usability of encrypted information, over time and through technological change. It is vitally important to create, maintain and preserve email system and storage system documentation for effective disaster recovery, and to substantiate the authenticity of email messages involved in judicial, audit or ATIP proceedings. A key requirement is the ability for institutions to protect email messages from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations. It may be necessary on occasion to apply hold orders, to delay disposition of records that may be required for legal purposes.

Expected Outcome

In any given federal government institution, the following benchmarks will have been achieved:

• Information contained in email that is of enduring value to the Government of Canada or to Canadians will be reliably available for current and future use.
• It will be possible to ensure the usability of email, including the usability of encrypted information, over time and through technological change.
• Retention schedules will be known by email users and correctly applied based on the content of the email or applied automatically based on the classification of the email.
• Email messages will be reliably protected from improper disclosure, use, disposition or destruction, in accordance with legal and policy obligations.

5.1. Email systems should not be subjected to indiscriminate purges

Email systems should not be subjected to periodic and indiscriminate purges of messages, whether by manual or by automated means, whether by users or by network or system administrators. Messages should only be deleted or disposed of in accordance with institution-approved disposition schedules and must not be disposed of simply because the mailbox is "full" or because the messages have aged beyond some arbitrary time limit.

Rationale

It might make good sense from an information technology perspective reduce strain on the email system by routinely deleting messages that are older than some predetermined limit. However, it makes no sense from an information management perspective.

Deleting old emails indiscriminately is certain to destroy important government information or records. Unauthorized destruction of records is an offence under the Library and Archives Canada Act and other legislation. Indiscriminate destruction of information could prevent the institution from producing email evidence when required to do so. Instead, solid IM practices should be in place to allow for records to be managed, which would reduce the load on servers and allow for disposal according to retention schedules.

Sample Policy Statement

5.2. Manage email records to allow access by authorized staff

To allow the institution to continue to do its work, email management systems and programs should provide the flexibility to allow authorized staff to obtain access to email when the holder of the email account is absent.

Rationale

Along with the need to access information for legal purposes, access by staff and by the public are the fundamental drivers behind email management best practices and information management in general. If it were never necessary to retrieve aging documents for internal purposes, to satisfy the public's need for information, to preserve historical information and to ensure the accountability of government, then there would be no reason to retain and preserve email messages.

Occasionally, an employee may be absent from work. This could be disruptive if the employee held information in his or her email account that other authorized employees might need to perform their work. To prevent this from happening, an employee may authorize one or more other individuals in the work unit to have read access to his or her email account.

Sample Policy Statement

5.3. Remove encryption before leaving an institution

Encryption should be removed from email messages and attachments before a user leaves an institution.

Rationale

Encryption is a way of substituting the text of a message or attachment with a code that only the intended recipient(s) can decode in order to reconstruct the original text. A simple code, familiar to many children, is to substitute the letters of the alphabet with corresponding numbers (A=1, B=2, C=3, etc.). Today's encryption technology encrypts a message (applies the code) and then decrypts it (decodes it) at the click of a button, but uses a vastly more sophisticated code.

The use of email is not recommended for transmission of messages or attachments that contain highly sensitive, protected or secret information. However, under some circumstances, defined by security policy, and authorized by institution management, such information may be transmitted, as long as it is encrypted, using technology approved by the government of Canada.

See Policy for Public Key Infrastructure Management in the Government of Canada
www.tbs-sct.gc.ca/pubs_pol/ciopubs/PKI/pki_e.asp

Sample Policy Statement

5.4. Remove encryption before transferring email to Library and Archives Canada

Encryption should be removed from email messages and attachments before they are transferred to Library and Archives Canada. The user should decrypt the message if he or she is still with the organization at the time. Otherwise, the operational manager responsible for the part of the organization where the message was produced should decrypt the message. In the latter instance, the advice of an information management specialist and the assistance of a network or system administrator may be required. In the absence of the operational manager or the user, the information management specialist should have the authority to decrypt the message, with the assistance of a network or system administrator.

Rationale

Encrypted messages will not be accepted by Library and Archives Canada

See Policy for Public Key Infrastructure Management in the Government of Canada
www.tbs-sct.gc.ca/pubs_pol/ciopubs/PKI/pki_e.asp

Sample Policy Statement

5.5. Provide security for networks that support email

Email programs and systems should be supported by networks that are protected by standard technologies such as firewalls, and protection against threats such as those listed below (note that the following list is not exhaustive):

• Unauthorized access
• Viruses, worms, Trojan horses, ActiveX and Java applets
• Spam
• Spyware, adware and pop-ups
• Other invasive threats as may arise from time to time

Rationale

An institution's email program or system is entirely dependent on network connections, and the network itself must be protected from a wide variety of threats including unauthorized access.

There is no way to completely neutralize all threats and avoid all risks. The response must be proportional to the threat and to the risk.

Sample Policy Statement

5.6. Use passwords, change them regularly and keep them secret

Network or system administrators should set up password systems and ensure that users comply with password policies. An important first step it to protect password files themselves. To do so, administrators should first change the system or application manufacturer's default administration password (if any). These default passwords are widely known and easily exploited by hackers to gain access to the hundreds or thousands of passwords used in the institution.

Users should select passwords that are difficult to guess, (avoiding names of one's children, pets, favourite local sports teams, local celebrities, etc.). Passwords should be consistent with institution-approved password standards and attributes. Users should also keep their passwords secret, and change them on schedule.

Suggestions on Improving Password Security From the Canadian Handbook on Information Technology Security - section 16.1.1 - Passwords Available from Canada's Communications Security Establishment
Password generators	If users are not allowed to generate their own passwords, they cannot pick easy to-guess passwords. Some generators create only pronounceable non-words to help users remember them. However, users tend to write down hard-to remember passwords.
Pass-phrases.	The use of a short phrase rather than a single word may improve passwords. The phrase is normally easier for the user to remember, and the result may be more secure provided that obvious phrases are avoided.
Limits on log-in attempts	Many operating systems can be configured to lock a user ID after a set number of failed log-in attempts. This helps to prevent guessing of passwords.
Password attributes	Users can be instructed, or the IT system can force them, to select passwords (1) with a certain minimum length, (2) with special characters, (3) that are unrelated to their user ID, or (4) to pick passwords which are not in an on-line dictionary. This makes passwords more difficult to guess (but more likely to be written down).
Changing passwords	Periodic changing of passwords can reduce the damage done by stolen passwords and can make brute-force attempts to break into IT systems more difficult. Too frequent changes, however, can be irritating to users.
Technical protection of the password file.	Access control and one-way encryption can be used to protect the password file itself. However, it should not be forgotten that all methods of protection can be beaten if the level of attack is of sufficient sophistication.

From the (Source: www.cse-cst.gc.ca/its-sti/publications/itsg-csti/mg9-eng.html)

Rationale

In literature on information technology security, a commonly described security risk is that someone may use someone else's password to gain unauthorized access to email files or to send false or damaging information from another person's account, causing intentional or unintentional embarrassment or harm to the account holder, the institution or the recipient. These risks can be mitigated by implementing an effective password system.

Sample Policy Statement

5.7. Protect the system against loss or damage

Email systems and the networks which support them should be protected from loss or damage from a variety of potential causes such as those listed below (note that the following list is not exhaustive:

• Physical threats to buildings and computer facilities
• Natural disasters and environmental threats
• Computer hardware and software failures
• Media vulnerabilities
• Communications vulnerabilities
• Lack of documentation or loss of documentation
• Human error
• Other threats as may arise from time to time

Rationale

It is one thing to create regular backups. But is the server room always locked? Is the server room in the basement of a building that sits on a floodplain? If there is a fire in the server room, are the extinguishers of a type that will protect (or destroy) hardware or electronic media? If there is a fire on any of the floors above the server room, what is to prevent water from running down into the servers? Are the backup tapes contaminated with dust mites or mould? If the network administrator is suddenly incapacitated, is there documentation that would enable someone else to take over? Would the documentation tell the replacement where the backup tapes are kept? Is there a backup copy of the documentation? Is it stored off-site as well?

It is essential to consider the full range of threats, assess the risk involved, and take steps to mitigate the potential negative impact.

Sample Policy Statement

5.8. Use the appropriate security classification

When creating, forwarding or storing email messages of a sensitive, protected or secret nature, users should ensure that the security classification of the message is not greater than the security classification of the system or repository used to create, send or store it.

Rationale

An email message should not be created, sent or be stored on a system or repository that does not provide a correspondingly high degree of protection (or a higher degree of protection). This principle applies to all security classifications.

Sample Policy Statement

5.9. Set up timely and mandatory processes to create, delete and suspend email accounts

Email programs and systems should have processes in place to react on a timely basis to create an account when an employee or contractor arrives, delete the account when the individual leaves the institution or when, for other legitimate reasons, it is necessary to freeze or suspend the account.

These processes should describe what employees, managers, executives, network administrators and information security specialists should do in a number of different circumstances (and how quickly they should act).

Timely does not necessarily mean immediately. In the case of an employee who is transitioning from one institution to another, it may be appropriate to keep the user's account active until a new account is opened at the destination. In such cases, an information security specialist should be consulted on the most appropriate course of action.

Rationale

When an employee or contractor arrives, it is wasteful if they are prevented from doing the work they were engaged to do because they do not have access to an email account within the institution.

When an employee or contractor arrives or leaves, he or she, as well as, his or her manager, departmental executives and the network administrators each have responsibilities.

On arrival, the new worker should log on and create a password and familiarize himself with the email system and his or her role in managing email records and information.

Departing employees should be advised to perform a clean up of their email, deleting transient messages and retaining and filing any messages that have more long term significance. For temporary absences, employees should be advised to delegate access to another responsible individual. For internal transfers, employees should be asked to obtain permission if they need to take some information with them.

Managers are responsible for ensuring that new workers are appropriately trained in the use of the email system. Managers are also responsible for ensuring that departing employees or contractors delete or file their email messages appropriately, that information is kept within an authorized circle, retention periods are observed and work is delegated.

Where an employee is dismissed, other considerations apply, and it may be necessary to keep all email, including the employee's personal email, if it may be used as evidence by the department or by the employee in an appeal or other legal action. One source even recommends that an account be frozen and preserved for a standard period of time consistent with the allowable appeal period in the event of dismissal.

At the executive level, managers should develop procedures for the triage and termination of employee email accounts under various circumstances.

Network administrators are responsible for creating and closing the employee's email account, or at least terminating the employee's access to the account, once the employee has left.

Sample Policy Statement

5.10. Control access rights to email accounts and folders

Access to information and records in email accounts and folders should be restricted to those who need it in order to do their work.

Most individuals with authorized access to their own individual mailbox should have the ability to create, edit and delete messages, and add them to a folder.

Ability to read, mark or "send on behalf of" or add messages to folders may be delegated by a user to one or more co-workers within his or her working group. Rules should be established to govern such delegation.

Authorized individuals may be given read-only access to files in a folder. To reduce the risk of loss of important records or information, only a very restricted number of individuals should have the ability to delete messages from a folder.

Rationale

The general principle is that network administrators should restrict access to information to those who need it in the course of their work.

The ability to read, mark or "send on behalf of" or add messages to folders of others may be advantageous within a working group and may be delegated by a user to one or more co-workers within his or her working group.

Sample Policy Statement

5.11. Use message protection and authentication controls

Email management programs and systems should provide message protection and authentication controls to prevent users and administrators from changing a message once it has been sent to at least one recipient, in order to facilitate authentication and version control.

Rationale

The authenticity of a record is a measure of the confidence that one can have that an email message is the original and authentic record - or in electronic media, a true copy of the original message. Integrity, in this context, is the quality of having been preserved in unaltered form. These are both important concepts in law, as pertains to rules of evidence.

Message protection and authentication controls prevent users and administrators from altering an email message once it has been sent to at least one recipient. When these controls are used, the message cannot be altered unless it is sent as a new message with new transmission and receipt data. Message protection controls support the authenticity, integrity, reliability, and version control of email messages.

Sample Policy Statement

5.12. Make regular and consistent backups for disaster recovery

Email management programs or systems should provide for periodic backups, which should be performed on a consistent basis, as required, to meet the business needs of the organization.

• Backups should be verified to ensure that they have worked properly.
• Backups should be stored off-site
• Backups should be recycled periodically according to an approved retention schedule applicable to the backup media
• Backup procedures should be documented and managed to demonstrate compliance

Rationale

Backups provide a measure of protection against the possible loss of records in the event of a major disaster such as fire, flood or earthquake. Backups must be stored off-site to reduce the risk that original system records and backups might both be lost, as might occur if both sets of records were kept in the same building.

Note that backups are typically recycled on a periodic basis and are not designed to distinguish subject matter or retention periods. In short, backups are a risk reduction measure - not a form of email information management.

Sample Policy Statement

5.13. Use digital signatures when appropriate

Digital signatures should be used in correspondence or transactions when the recipient needs to know without doubt that the message is from a trusted sender, that the message has not been altered, and that the sender will not be able to deny having sent it.

Rationale

In simple terms, a digital signature is really just a numerical value. A formula is used to derive a value from the message that is being signed, and to combine that value with another secret number assigned to the sender.

A digital signature is virtually impossible to forge, and it is an important way to authenticate an email message. It can be verified using automation, and this technology will also reveal even the slightest attempt to alter the original message. Digital signatures depend on a technology called public key cryptography, also known as public key infrastructure (PKI).

To obtain a digital signature, one must first obtain approval from an authorized manager to apply for a digital certificate. A digital certificate contains a person's name, a serial number, expiration dates and a copy of a person's digital signature, as well as the digital signature of the certificate-issuing authority and is used to establish a person's credentials when doing business or other transactions. A department may issue its own certificates or obtain them from a trusted commercial service provider.

Note: While digital signature technology authenticates an email message and prevents it from being tampered with, it does not conceal or hide the content of the message and should not be confused with encryption technology (which can be used to prevent information from being read by unauthorized parties).

Sample Policy Statement

5.14. Remove digital signatures that prevent access from email that is to be transferred to Library and Archives Canada

Digital signatures do not typically prevent access to content, context or structure of an email document. Digital signatures that could prevent such access should be removed from email messages that are to be transferred to Library and Archives Canada.

Rationale

The importance of a digital signature decreases once the recipient receives an email message and makes a decision or takes some action in response to the information it contains.

Sample Policy Statement

5.15. Do not use scanned signatures to sign messages

Users should not use a scanned signature to sign an email message because the scanned signature does not authenticate the email. There is also a risk that the signature could be copied for use in forged documents.

Rationale

Users are warned not to use scanned signatures under any circumstances. A scanned signature is merely a digital attachment - not a digital signature.

A user's handwritten signature can easily be captured as an image file by a scanner. However, it is a dangerous practice to use the scanned image of a signature in an email message or attachment in order to simulate the true handwritten signature of the sender.

The danger is that a dishonest person could just as easily cut and paste the image of the signature onto another electronic document to create a forgery. Because forgery is so easy in such cases, a scanned signature is not likely to be taken as reliable evidence in court, or during an audit.

Sample Policy Statement

5.16. Use Encryption where appropriate

Where appropriate, encryption may be used to increase the security of email messages and attachments in storage and during transmission.

Rationale

Encryption is a way of substituting the text of a message or attachment with a code that only the intended recipient(s) can decode in order to reconstruct the original text. A simple code, familiar to many children, is to substitute the letters of the alphabet with corresponding numbers (A=1, B=2, C=3, etc.). Today's encryption technology encrypts a message (applies the code) and then decrypts it (decodes it) at the click of a button, but uses a much more sophisticated code.

The use of email is not recommended for transmission of messages or attachments that contain highly sensitive, protected or secret information. However, under some circumstances, defined by security policy, and authorized by institution management, such information may be transmitted, as long as it is encrypted, using technology approved by the government of Canada.

The capacity to encrypt information and the capacity to attach a digital signature are typically packaged in the same security application. To obtain a digital signature, and the capacity to encrypt email messages and other documents, one must first obtain approval from an authorized manager to apply for a digital certificate. A digital certificate contains a person's name, a serial number, expiration dates and a copy of a person's digital signature, as well as the digital signature of the certificate-issuing authority and is used to establish a person's credentials when doing business or other transactions. A department may issue its own certificates or obtain them from a trusted commercial service provider.

See Policy for Public Key Infrastructure Management in the Government of Canada
www.tbs-sct.gc.ca/pubs_pol/ciopubs/PKI/pki_e.asp

Sample Policy Statement

5.17. Manage longer term near-line storage of email messages

If email messages are to be retained more than just temporarily, the email messages, metadata and attachments should be stored in an electronic information management system separate from the email system.

Messages, metadata and attachments should be kept together or, if these elements are stored separately, it should be possible to restore the relationship such that the authenticity and integrity of the elements and their relationship can be demonstrated in a court of law.

Rationale

Email systems are not designed for long-term storage of email messages and attachments. Performance degrades as the memory required for storage increases beyond a given threshold.

Longer term storage of email is best done using storage facilities separate from the email system itself.

Sample Policy Statement

5.18. Avoid storing paper print-outs of email messages if an electronic original exists

Storage of paper printouts of electronic information is not the preferred method of storing information in the GC. However, storage of paper printouts of email messages may be appropriate for smaller institutions with limited technological resources. Paper printouts may also be appropriate for storage of high-risk records.

Rationale

There are advantages and disadvantages to printing out email messages and storing them on paper.

The main advantage of printouts of email messages is that, if printed on acid-free archival quality paper, and if stored under appropriate conditions, the record or information will survive for millennia, whereas the life of most magnetic media is measured in years or, at most, decades. Optical media are significantly more durable than magnetic media, but are still not proven to be as durable as paper.

But there are significant disadvantages to paper printouts.

• Institutions are cautioned that the cost of indexing, searching and retrieving paper copies is much greater than the cost of storing and maintaining electronic copies.
• Metadata is often considered relevant in legal proceedings, so, a message stored on paper must be stored with a printout of its metadata - this involves an extra step in the storage process.
• Paper is limited in its ability to deal with attachments such as large spreadsheets, small databases, audio, video or multi-media files, 3D design drawings, 3D renderings, layered maps, etc., which are a unique concern of the electronic age.

Sample Policy Statement

5.19. Protect email against damage to the storage medium

An email management program should provide protection against damage to the electronic storage medium, and against damage of the electronic information, and should take periodic measures of stored data to detect data loss.

Rationale

Electronic storage media are extremely fragile, vulnerable to magnetic fields as well as to physical damage. Even if well-protected, the support media such as CD-ROM, DVD, magnetic tape, etc, are subject (in archival terms) to rapid decay - less than ten years in some cases. In addition, the storage of electronic information presumes that both software and hardware required to read the data will still exist at some future date.

Magnetic storage media like tapes, diskettes, and hard drives can last 10 to 20 years if well looked after, but they are easily damaged by physical conditions such as abrasion, excessive heat or cold or excessive dryness or humidity. They can be damaged by mould and dust mites and, of course, magnetic media are also vulnerable to magnetic fields.

Optical storage media such as CDs are more durable, and may last 100 years, if properly stored and treated with care.

Sample Policy Statement

5.20. Protect email against obsolescence

An email management program should provide for protection of email messages from obsolescence of the software or hardware required to read email messages and attachments.

Rationale

Electronic devices and storage media are subject to rapid evolution. Even if one were to succeed in preserving email messages, metadata and attachments intact, there is a risk that the hardware and software needed to read them might not still be available in twenty years, (or that nobody in the institution would remember how to use them).

Here are three possible solutions to this dilemma.

• Keep the software that currently reads the files, and enough of the original hardware to simulate the environment in which the email was created or received. This may be practical for some time into the future, but not for a very long term.
• Immediately migrate the files to a standard format that is not software or hardware dependent. This has the advantage of being "universally" readable, but the original formatting and much of the original context will be lost. This is also an extra step in the process.
• Migrate the files to a more recent version of the system on which they were created or received. This has the advantage that new versions of software produced today are generally "backward compatible" meaning that they can faithfully read and reproduce files that were created or received on earlier versions. Note that there is a risk that frequent migrations will distort the email messages. Migration procedures should be tested to protect email messages from distortion.

Sample Policy Statement

5.21. Create, maintain and preserve email system documentation

Documentation supporting an email management system should be capable of providing reasonable proof of the condition of the system and of the authenticity and integrity of the relevant messages, metadata and attachments, at all relevant times.

Rationale

When establishing the authenticity, integrity, and reliability of email messages, metadata and attachments in court, it may be necessary to provide proof as to the reliability and integrity of the system that was used to create, send, receive or store them. System documentation must be thorough, accurate and up to date and must cover the relevant period of time.

Sample Policy Statement

5.22. Keep email system documentation as a permanent record

System documentation should be considered a permanent government record and should be handled and stored accordingly.

Rationale

When establishing the authenticity, integrity, and reliability of email messages, metadata and attachments in court, it may be necessary to provide proof as to the reliability and integrity of the system where it was created or received and/or stored.

Evidence is generally not admissible if it is not considered reliable by the court. A party that fails to produce enough reliable evidence in court may be unable to fully support its case. Worse, if a party is unable to produce sufficient reliable evidence, the court may find the party in default and rule in favour of the opposing party.

Because there is no way of knowing or predicting when it will be necessary to establish this proof in court, system documentation must be kept permanently.

Sample Policy Statement

5.23. Allow different retention periods for emails and attachments

Whether the email management system keeps messages and attachments together or not, the system should be configured so as to have the ability to manage a message for which the retention period is just beginning, and an attachment for which the retention period is about to expire. Note that the retention period is always determined by the content of the information and not the medium by which is created, transmitted or stored. This is a complex problem and a difficult technical challenge. Consultation with legal counsel is strongly advised.

Rationale

Government records and information have a retention period which varies depending on their nature or classification. Some records must be kept for a minimum retention period, which may vary. Other records, chiefly records containing private information, have a maximum retention period, and must be disposed of when the period has expired.

In either case, the retention period may be extended should the records or information be required as evidence in a legal proceeding or audit.

It is quite possible that an email message, for which the retention period may just be beginning, contains an attachment for which the retention period is about to expire. The email management system should be able to manage these differences effectively.

Sample Policy Statement

5.24. Apply hold orders, when necessary, to delay disposition

Email management programs and systems should have the capacity to identify email information or records slated for disposition, and, when necessary, isolate or otherwise protect them from well-intended, ill-intended, or accidental destruction.

Rationale

Some government information and records are, by law, subject to maximum retention periods, and are to be disposed of when the retention period expires. It is an offence to retain such information past the prescribed retention period, unless the information is required for legal proceedings, audits or access to information requests. In such instances, the retention period may be extended for as long as necessary.

Note that courts have ruled against parties who disposed of information or records required as evidence - even if the disposition took place according to a long-established schedule. Rulings have been based on the principle that the party knew or should have known that the information would be required for specific legal proceedings, and should have applied a hold order to prevent disposition.

In some instances courts have ruled against parties who disposed of information or records on the grounds that the information was of such a nature that the party should have foreseen that it might be required as evidence, at some unspecified time in the future, in some as yet unknown legal proceeding.

Sample Policy Statement

Previous | Table of Contents | Next