Search

Email Policy

POL19-Email Use Policy

Policy
This policy outlines DDC OS’ posture on corporate email governance and usage.

Email is a vital tool for undertaking business and all communications performed using this medium are considered information assets that belong to DDC OS.

Email is a primary attack vector for “bad actors” and “cyber criminals” in every industry, due to its widespread use, and the value of the information breached from a successful attack. Consequently, DDC OS will provide resources where required to maintain the confidentiality and integrity of this information asset and ensure enforcement of this policy, even by means of disciplinary action if necessary.

The objective of this policy is to achieve a zero-breach stance on the DDC OS corporate email system, which will safeguard our reputation and protect our information assets.

Scope
This policy applies to all DDC OS employees, contractors and agency workers and other individuals that have been granted use of the DDC OS email system.

For the avoidance of doubt, all DDC OS email addresses are in scope of this policy including, but not limited to, individually assigned email addresses (ie yourname@ddcos.com), shared or departmental mailboxes and email distribution groups.


Personal use
The use of DDC OS’ email system is for individuals that have been granted access to the system, to conduct work related purposes, on behalf of DDC OS.
DDC OS’ email system must not be used for conducting personal activities of any manner, unless approved by exception from the Director of IT. Even in the case of an exception being granted, personal activities conducted on DDC OS’ email system should be kept to a minimum.

Monitoring
DDC OS employees shall have no expectation of privacy in anything they store, send, or receive on the DDC OS’ email system. DDC OS will monitor messages without prior notice. DDC OS is not obliged to monitor email messages but will do so at any point it chooses. Examples of monitoring
on DDC OS mailboxes will undertake are (but will not be limited to) the following:


• Abusive or inappropriate content.
• Tone of message – all emails sent from your DDC OS email account must be always polite
and courteous, regardless of whether you are addressing customers, suppliers, or fellow
colleagues.
• Personal activities.
• General compliance with all DDC OS policies.

Threats to information security
DDC OS takes all threats to information security seriously. Threats as a result of attack vectors against our email systems are of a particular concern, when considering the sensitivity of information contained in a DDC OS mailbox.

Whilst DDC OS has invested considerably in technical controls to prevent unauthorised access to email data, such technical controls will not make our email systems impregnable.

Our last line of defence in the case of an email attack vector being exploited will always be our users of the email system. To this extent, we request that you are always diligent when using email communications, regardless of the device you are operating, and always follow these guidelines:


1. Never click on links or open email attachments contained within emails that are received by you from a sender that you do not recognise. Specifically, always check the full email address of the sender prior to clicking the link, if you are in any way suspicious.
2. Emails may appear to be from your colleagues and request you open an attachment, click a link, or request an action which is unusual. They may also contain unusual subject matter and content not normally sent to you by your colleagues. Report any instances of this to your line manager or the IT Team without delay and do vc not follow any instructions contained within the email.
3. Adopt a “when in doubt, don’t click or don’t open” approach to any suspicious emails received. Do not be anxious or hasty to click links or open attachments and seek assistance from the IT Team where required before doing so.
4. If you have identified what you believe to be a non-authentic email, do not hesitate to report it to the IT Team. We understand that this may involve the occasional reporting of “false positives” however a proactive approach will always be more effective and will ultimately mitigate the impact of risks occurring.
5. You will not be able to install any software on your devices nor will you be asked to install any software (such as email clients or Outlook plug-ins for example) either. You must immediately report all instances of such requests to the IT Team.
6. Always try to include links to documents you wish to share via email with others as opposed to sending attachments on email. Microsoft 365 services such as Teams, OneDrive and SharePoint enable you to do this effectively. If you require assistance or training in how to
do this, please contact the IT Team.
7. Never transmit account credentials and/or passwords via email. Email is not “end to end encrypted” and should not be used for this purpose, without exception.
8. As per the Acceptable Use Policy, DDC OS email may only be accessed via an authorised device.


Exceptions
All exceptions for allowing minimal personal use of corporate email on a per individual basis, must be approved in writing by the Director of IT.

Breaches
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Policy Owner and Maintenance
This policy is owned and maintained by the Compliance Officer.
This policy is approved by the CEO and CGO

John Callachan CEO                                                            Michelle Davies CGO

Contact

Get in touch