ISO 27001 and Bulk Email Policy - Your Thoughts, Please

C

chris02 - 2011

#1
Hi all,

We are in the process of pulling all our documentation together to become compliant with 27001, but one policy I am not sure about.

The beginnings of our 'Bulk Email Policy' are below and I would very much appreciate your thoughts. Is it good enough, does it cover the relevant points of 27001, does anything need to be added?

Many thanks

Chris

Bulk Email Policy

There are recognised ways of creating and sending bulk E-mails which should be adhered to whenever possible.
The preferred mechanism for high volume bulk e-mail should be the ..... List Server which is designed specifically for this purpose; a good example is e... which goes to 50K+ ..... Members once a week.
The other mechanisms available are Catalyst or Outlook; both of these have limitations which are outlined below.

1. Guidelines for List Server
The List Server manages mailings for groups of users. It produces multiple copies of a standard message, each addressed to a different email drawn from a pre-defined list of up to 100K recipients in a single mailing.
To establish if the List Server should be used for any particular requirement please contact the Service Desk in the first instance.
Guidelines are available for groups to use this service on the link below
F:\List server (LS)\Policies & Info\List server Jan 06 draft guidance notes version 2.1.doc


2. Guidelines when using Outlook
This is fairly easy to use but you should be aware of the following restrictions to its use:

• Ensure that the email addresses are placed in the ‘BCC’ (Blind Carbon Copy) field and NOT the ‘To’ or ‘CC’ fields. This is to ensure that the email address of each person on the list is not divulged to other recipients. Failure to comply could involve legal action under the Data Protection Act against both the Society and the member of staff.

• Limit the number of addresses. We recommend a limit of 500 depending on size of the email. Emails above this limit must use the List Server. Contact the Service Desk if you need more information on how to do this.

• Limit the total size of the emails to 50Mb. (e.g. you can send 100 emails of ½Mb or 25 of 2Mb).

• Unless the email is extremely urgent, it is recommended that the email be delayed for transmission. (This option is available by going to VIEW – OPTIONS – “Do not deliver before”). Please enter a value later than 17:00 - and the later the better.

• It is also advisable to contact the Service desk to inform them of any “very” large emails as there may be an impact on Outlook services if several are sent at once.

Within the Office application of Word it is also possible to create an “email mail merge” from an Excel spreadsheet or table of data – the same limitations apply as above.


3. Guidelines when using Catalyst
Within this mail engine, there are two settings regarding mail delivery – a limit on the size of any individual message; and a limit on the total size of all the messages sent in any one session.

Size Parameters:
Any message (including any attachments it contains) must be less than 2Mb in size. Moreover, the total size of all the messages that can be sent in any one session must not exceed 100Mb.

For example:
sending an email of 3Mb to someone would fail; sending 100 emails, each of 2Mb would fail; sending 500 emails, each of 0.5 Mb would fail.

On the other hand, sending an email of 2Mb or less would be fine; sending 100 emails each of 1Mb or less would succeed; as would sending 500 of 200Kb.

It is very unlikely that sending an email with no attachments to a lot of people would come anywhere close to the limit.

Taking care to assess the number and size of your bulk mailing and ensuring it is not over the limit will enable any bulk mails you send to get delivered successfully.

To do this, find out the total number of emails to be sent (Y) and the total size of the actual message (Z). As long as the total of Y x Z is not more than 100Mb – and the individual message is not larger than 2Mb - they will get sent.

If the total looks like being more than 100Mb, the best solution would be to send the mail in more than one batch. You can do the second one immediately after the first one – the only important thing is that you don’t try and send all the emails in one go.



NOTE.
In the event that someone is sending a very large email to a very large number of people and not sure how to approach it then please discuss the issue with IT. It may be possible to temporarily increase limits is some cases. However, for security and performance reasons we don’t want to leave the limits too high all the time.
 
Elsmar Forum Sponsor

Stijloor

Staff member
Super Moderator
#2
Hi all,

We are in the process of pulling all our documentation together to become compliant with 27001, but one policy I am not sure about.

The beginnings of our 'Bulk Email Policy' are below and I would very much appreciate your thoughts. Is it good enough, does it cover the relevant points of 27001, does anything need to be added?

Many thanks

Chris

Bulk Email Policy

There are recognised ways of creating and sending bulk E-mails which should be adhered to whenever possible.
The preferred mechanism for high volume bulk e-mail should be the ..... List Server which is designed specifically for this purpose; a good example is e... which goes to 50K+ ..... Members once a week.
The other mechanisms available are Catalyst or Outlook; both of these have limitations which are outlined below.

1. Guidelines for List Server
The List Server manages mailings for groups of users. It produces multiple copies of a standard message, each addressed to a different email drawn from a pre-defined list of up to 100K recipients in a single mailing.
To establish if the List Server should be used for any particular requirement please contact the Service Desk in the first instance.
Guidelines are available for groups to use this service on the link below
F:\List server (LS)\Policies & Info\List server Jan 06 draft guidance notes version 2.1.doc


2. Guidelines when using Outlook
This is fairly easy to use but you should be aware of the following restrictions to its use:

• Ensure that the email addresses are placed in the ‘BCC’ (Blind Carbon Copy) field and NOT the ‘To’ or ‘CC’ fields. This is to ensure that the email address of each person on the list is not divulged to other recipients. Failure to comply could involve legal action under the Data Protection Act against both the Society and the member of staff.

• Limit the number of addresses. We recommend a limit of 500 depending on size of the email. Emails above this limit must use the List Server. Contact the Service Desk if you need more information on how to do this.

• Limit the total size of the emails to 50Mb. (e.g. you can send 100 emails of ½Mb or 25 of 2Mb).

• Unless the email is extremely urgent, it is recommended that the email be delayed for transmission. (This option is available by going to VIEW – OPTIONS – “Do not deliver before”). Please enter a value later than 17:00 - and the later the better.

• It is also advisable to contact the Service desk to inform them of any “very” large emails as there may be an impact on Outlook services if several are sent at once.

Within the Office application of Word it is also possible to create an “email mail merge” from an Excel spreadsheet or table of data – the same limitations apply as above.


3. Guidelines when using Catalyst
Within this mail engine, there are two settings regarding mail delivery – a limit on the size of any individual message; and a limit on the total size of all the messages sent in any one session.

Size Parameters:
Any message (including any attachments it contains) must be less than 2Mb in size. Moreover, the total size of all the messages that can be sent in any one session must not exceed 100Mb.

For example:
sending an email of 3Mb to someone would fail; sending 100 emails, each of 2Mb would fail; sending 500 emails, each of 0.5 Mb would fail.

On the other hand, sending an email of 2Mb or less would be fine; sending 100 emails each of 1Mb or less would succeed; as would sending 500 of 200Kb.

It is very unlikely that sending an email with no attachments to a lot of people would come anywhere close to the limit.

Taking care to assess the number and size of your bulk mailing and ensuring it is not over the limit will enable any bulk mails you send to get delivered successfully.

To do this, find out the total number of emails to be sent (Y) and the total size of the actual message (Z). As long as the total of Y x Z is not more than 100Mb – and the individual message is not larger than 2Mb - they will get sent.

If the total looks like being more than 100Mb, the best solution would be to send the mail in more than one batch. You can do the second one immediately after the first one – the only important thing is that you don’t try and send all the emails in one go.



NOTE.
In the event that someone is sending a very large email to a very large number of people and not sure how to approach it then please discuss the issue with IT. It may be possible to temporarily increase limits is some cases. However, for security and performance reasons we don’t want to leave the limits too high all the time.
Can someone with this experience help?

Thank you!

Stijloor.
 
C

chris02 - 2011

#3
Thanks for looking all,

I have manged to come up with some guidelines, detailed below should anyone need help on this in the future.

Guidance on the use of Bulk Email


Bulk Email should be sent from a verifiable email account. Registration of email accounts should be controlled by the IT department with email recipients being able to verify the owner of the email address by contacting the organisation concerned.

Bulk Email being sent using Blind Carbon Copy (Bcc) functionality. When replying to a Bulk Email, a user may intentionally or unintentionally use the Reply to All option which would result in a second Bulk Email . This type of scenario has a tendency to lead to additional replies. Multiple replies to a Bulk Email can overwhelm an email system and be a nuisance to users. Leveraging Blind Carbon Copy functionality eliminates this risk and helps protect the privacy of recipients. In situations where a separate email is generated for each recipient, use of Blind Carbon Copy functionality is not necessary.

Bulk Email should have a Subject that clearly defines the purpose of the email. Ambiguous subject lines make it difficult to differentiate between legitimate emails and spam or phishing emails. As a result, an email may be inadvertently ignored or deleted. Unnecessary tags, such as RE and FWD, should also be avoided.

Avoid sending attachments in Bulk Email. Email attachments are a common tool for propagating computer viruses. As a result, some users are hesitant to open unexpected attachments. Senders of Bulk Email should consider posting files to their own hosted website and then providing instructions in the email on how to download the file. This provides some measure of authenticity. Sending large attachments to multiple recipients can also create unnecessary load on email servers.

Avoid hyperlinks to third-party websites. Spam and phishing emails often include hyperlinks to malicious websites. As a result, recipients may be hesitant to click on a hyperlink even in an email that appears legitimate. Similar to attachments, posting third-party hyperlinks to an organisations hosted website provides some measure of authenticity.

Consider sending Bulk Email to a public distribution list(s) when available. Distribution lists allow a user to create filters to better sort and manage their emails. In some cases, distribution lists also allow a user to customise how they receive emails.
 
M

Meatgrinder

#4
Does anyone have any best practice policies towards the use of 3rd party email sending services like MailChimp or Constant Contact?

Thanks
~Stephen
 
Thread starter Similar threads Forum Replies Date
T ISO 27001 sample audit report IEC 27001 - Information Security Management Systems (ISMS) 0
M Choosing Auditors - ISO 9001 / ISO 27001 (UK) IEC 27001 - Information Security Management Systems (ISMS) 2
M ISO 27001 ISMS scope for companies with subsidiaries IEC 27001 - Information Security Management Systems (ISMS) 0
S How to Learn all aspects of ISO 27001:2013 | The best way to grab the knowledge on 27001:2013 (Step by Step) IEC 27001 - Information Security Management Systems (ISMS) 7
P Relevance of Offsite backups process compliance and ISO 27001 certification. IEC 27001 - Information Security Management Systems (ISMS) 3
P Why does the standard clause use the term Issues in place of Context - ISO 27001 4.1 IEC 27001 - Information Security Management Systems (ISMS) 3
P What is the exact difference between Risk and Opportunity in context of ISO 27001? IEC 27001 - Information Security Management Systems (ISMS) 7
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
Le Chiffre Is ISO/IEC 27001 appropriate for most small businesses? IEC 27001 - Information Security Management Systems (ISMS) 2
A Policies Mandatory or essential for ISO 27001 implementation IEC 27001 - Information Security Management Systems (ISMS) 6
A ISO/IEC 27001 - Issue during implementation of system IEC 27001 - Information Security Management Systems (ISMS) 3
A ISMS implementation - ISO 27001: 2013 Company Objectives IEC 27001 - Information Security Management Systems (ISMS) 1
B Integrating ISO 9001/27001 External Audits - Audit Time Reduced? Discounts? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Richard Regalado ISMS Auditing Guideline V2 (based from ISO/IEC 27001:2013) IEC 27001 - Information Security Management Systems (ISMS) 7
K Risk Assessment Registry - ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
Richard Regalado ISO/IEC 27001:2016 Overview and Vocabulary - FREE! IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado ISO/IEC 27001 Mandatory Documentation Checklist IEC 27001 - Information Security Management Systems (ISMS) 1
P Recommended books on ISO 27001:2013 Implementation and Internal Auditing IEC 27001 - Information Security Management Systems (ISMS) 4
A ISO 27001 function wise or department wise audit questionnaire with control & clauses IEC 27001 - Information Security Management Systems (ISMS) 3
S Sample document for integrated ISO 20000 & ISO 27001 Other ISO and International Standards and European Regulations 3
W What are the benefits of ISO 27001 for my IT Organization IEC 27001 - Information Security Management Systems (ISMS) 3
S Clarification in organizing required documents for ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 6
A Risk Register template as per ISO 27001:2013 wanted IEC 27001 - Information Security Management Systems (ISMS) 9
Richard Regalado Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 2
S ISO 27001:2013 - How to document Context Of the Organization IEC 27001 - Information Security Management Systems (ISMS) 13
C ISO 27001:2013 ISMS Internal Audit Checklist/Questionnaire IEC 27001 - Information Security Management Systems (ISMS) 22
G ISO 27001 for a Hosting Provider IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001:2013 Clause 4.1 and 4.2 Clarification and Guidance IEC 27001 - Information Security Management Systems (ISMS) 13
W Working in a company where we try to implement ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 9
L Where to purchase ISO/IEC 27001:2013 IEC 27001 - Information Security Management Systems (ISMS) 3
L Implementing ISO 27001 A12.1.1 Security Requirements Analysis and Specification IEC 27001 - Information Security Management Systems (ISMS) 2
I ISO 27001:2013 Released - Transition Requirements? IEC 27001 - Information Security Management Systems (ISMS) 6
J ISO 27001 - Business Continuity Event Simulation Testing Business Continuity & Resiliency Planning (BCRP) 8
R Required artifacts (records) for ISO 27001 Auditing IEC 27001 - Information Security Management Systems (ISMS) 9
P What are the benefits of certified ISMS for ISO 27001 standard? IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado DRAFT ISO/IEC 27001:201? ISMS Requirements (Open for Comments!) IEC 27001 - Information Security Management Systems (ISMS) 0
R ISO 27001 A.8.2.2 Information Security Awareness, Education and Training IEC 27001 - Information Security Management Systems (ISMS) 10
A Risk Assessment, Business Continuity Planning, Testing, BCP, etc as part of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 8
K Information Classification Labeling - ISO/IEC 27001:2005 Labeling Requirements IEC 27001 - Information Security Management Systems (ISMS) 1
L Time Required to Implement ISO 27001 if ISO 9001 certified & SOX compliant? IEC 27001 - Information Security Management Systems (ISMS) 3
G Customer Property Cl. 7.5.4 - Where does ISO 9001 stop and ISO 27001 start? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
T ISO/IEC 27001 to ISO/IEC 12207 Mapping - Cross Reference Matrix IEC 27001 - Information Security Management Systems (ISMS) 2
T Person in charge's role or responsibility in ISMS? ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 3
Richard Regalado A.15 Compliance - One of the grey areas of ISO 27001 IEC 27001 - Information Security Management Systems (ISMS) 7
S Checklist for ISO 27001 ISMS Internal Audit IEC 27001 - Information Security Management Systems (ISMS) 2
G ISO 27001 Corrective Action Document Requirements IEC 27001 - Information Security Management Systems (ISMS) 10
S Security Gap Assessment Methodology based on ISO 27001 or COBIT IEC 27001 - Information Security Management Systems (ISMS) 1
Richard Regalado ISMS Asset Identification Process - Clause 4.2.1.d.1 of ISO/IEC 27001 IEC 27001 - Information Security Management Systems (ISMS) 4
Richard Regalado ISO 27001 A.10.4.1 - Detecting, Preventing and Recovering from Malicious Code Threats IEC 27001 - Information Security Management Systems (ISMS) 3
P ISO 27001 Information IEC 27001 - Information Security Management Systems (ISMS) 8

Similar threads

Top Bottom