ISO 27001 and Bulk Email Policy - Your Thoughts, Please

C

chris02 - 2011

Hi all,

We are in the process of pulling all our documentation together to become compliant with 27001, but one policy I am not sure about.

The beginnings of our 'Bulk Email Policy' are below and I would very much appreciate your thoughts. Is it good enough, does it cover the relevant points of 27001, does anything need to be added?

Many thanks

Chris

Bulk Email Policy

There are recognised ways of creating and sending bulk E-mails which should be adhered to whenever possible.
The preferred mechanism for high volume bulk e-mail should be the ..... List Server which is designed specifically for this purpose; a good example is e... which goes to 50K+ ..... Members once a week.
The other mechanisms available are Catalyst or Outlook; both of these have limitations which are outlined below.

1. Guidelines for List Server
The List Server manages mailings for groups of users. It produces multiple copies of a standard message, each addressed to a different email drawn from a pre-defined list of up to 100K recipients in a single mailing.
To establish if the List Server should be used for any particular requirement please contact the Service Desk in the first instance.
Guidelines are available for groups to use this service on the link below
F:\List server (LS)\Policies & Info\List server Jan 06 draft guidance notes version 2.1.doc


2. Guidelines when using Outlook
This is fairly easy to use but you should be aware of the following restrictions to its use:

• Ensure that the email addresses are placed in the ‘BCC’ (Blind Carbon Copy) field and NOT the ‘To’ or ‘CC’ fields. This is to ensure that the email address of each person on the list is not divulged to other recipients. Failure to comply could involve legal action under the Data Protection Act against both the Society and the member of staff.

• Limit the number of addresses. We recommend a limit of 500 depending on size of the email. Emails above this limit must use the List Server. Contact the Service Desk if you need more information on how to do this.

• Limit the total size of the emails to 50Mb. (e.g. you can send 100 emails of ½Mb or 25 of 2Mb).

• Unless the email is extremely urgent, it is recommended that the email be delayed for transmission. (This option is available by going to VIEW – OPTIONS – “Do not deliver before”). Please enter a value later than 17:00 - and the later the better.

• It is also advisable to contact the Service desk to inform them of any “very” large emails as there may be an impact on Outlook services if several are sent at once.

Within the Office application of Word it is also possible to create an “email mail merge” from an Excel spreadsheet or table of data – the same limitations apply as above.


3. Guidelines when using Catalyst
Within this mail engine, there are two settings regarding mail delivery – a limit on the size of any individual message; and a limit on the total size of all the messages sent in any one session.

Size Parameters:
Any message (including any attachments it contains) must be less than 2Mb in size. Moreover, the total size of all the messages that can be sent in any one session must not exceed 100Mb.

For example:
sending an email of 3Mb to someone would fail; sending 100 emails, each of 2Mb would fail; sending 500 emails, each of 0.5 Mb would fail.

On the other hand, sending an email of 2Mb or less would be fine; sending 100 emails each of 1Mb or less would succeed; as would sending 500 of 200Kb.

It is very unlikely that sending an email with no attachments to a lot of people would come anywhere close to the limit.

Taking care to assess the number and size of your bulk mailing and ensuring it is not over the limit will enable any bulk mails you send to get delivered successfully.

To do this, find out the total number of emails to be sent (Y) and the total size of the actual message (Z). As long as the total of Y x Z is not more than 100Mb – and the individual message is not larger than 2Mb - they will get sent.

If the total looks like being more than 100Mb, the best solution would be to send the mail in more than one batch. You can do the second one immediately after the first one – the only important thing is that you don’t try and send all the emails in one go.



NOTE.
In the event that someone is sending a very large email to a very large number of people and not sure how to approach it then please discuss the issue with IT. It may be possible to temporarily increase limits is some cases. However, for security and performance reasons we don’t want to leave the limits too high all the time.
 

Stijloor

Leader
Super Moderator
Hi all,

We are in the process of pulling all our documentation together to become compliant with 27001, but one policy I am not sure about.

The beginnings of our 'Bulk Email Policy' are below and I would very much appreciate your thoughts. Is it good enough, does it cover the relevant points of 27001, does anything need to be added?

Many thanks

Chris

Bulk Email Policy

There are recognised ways of creating and sending bulk E-mails which should be adhered to whenever possible.
The preferred mechanism for high volume bulk e-mail should be the ..... List Server which is designed specifically for this purpose; a good example is e... which goes to 50K+ ..... Members once a week.
The other mechanisms available are Catalyst or Outlook; both of these have limitations which are outlined below.

1. Guidelines for List Server
The List Server manages mailings for groups of users. It produces multiple copies of a standard message, each addressed to a different email drawn from a pre-defined list of up to 100K recipients in a single mailing.
To establish if the List Server should be used for any particular requirement please contact the Service Desk in the first instance.
Guidelines are available for groups to use this service on the link below
F:\List server (LS)\Policies & Info\List server Jan 06 draft guidance notes version 2.1.doc


2. Guidelines when using Outlook
This is fairly easy to use but you should be aware of the following restrictions to its use:

• Ensure that the email addresses are placed in the ‘BCC’ (Blind Carbon Copy) field and NOT the ‘To’ or ‘CC’ fields. This is to ensure that the email address of each person on the list is not divulged to other recipients. Failure to comply could involve legal action under the Data Protection Act against both the Society and the member of staff.

• Limit the number of addresses. We recommend a limit of 500 depending on size of the email. Emails above this limit must use the List Server. Contact the Service Desk if you need more information on how to do this.

• Limit the total size of the emails to 50Mb. (e.g. you can send 100 emails of ½Mb or 25 of 2Mb).

• Unless the email is extremely urgent, it is recommended that the email be delayed for transmission. (This option is available by going to VIEW – OPTIONS – “Do not deliver before”). Please enter a value later than 17:00 - and the later the better.

• It is also advisable to contact the Service desk to inform them of any “very” large emails as there may be an impact on Outlook services if several are sent at once.

Within the Office application of Word it is also possible to create an “email mail merge” from an Excel spreadsheet or table of data – the same limitations apply as above.


3. Guidelines when using Catalyst
Within this mail engine, there are two settings regarding mail delivery – a limit on the size of any individual message; and a limit on the total size of all the messages sent in any one session.

Size Parameters:
Any message (including any attachments it contains) must be less than 2Mb in size. Moreover, the total size of all the messages that can be sent in any one session must not exceed 100Mb.

For example:
sending an email of 3Mb to someone would fail; sending 100 emails, each of 2Mb would fail; sending 500 emails, each of 0.5 Mb would fail.

On the other hand, sending an email of 2Mb or less would be fine; sending 100 emails each of 1Mb or less would succeed; as would sending 500 of 200Kb.

It is very unlikely that sending an email with no attachments to a lot of people would come anywhere close to the limit.

Taking care to assess the number and size of your bulk mailing and ensuring it is not over the limit will enable any bulk mails you send to get delivered successfully.

To do this, find out the total number of emails to be sent (Y) and the total size of the actual message (Z). As long as the total of Y x Z is not more than 100Mb – and the individual message is not larger than 2Mb - they will get sent.

If the total looks like being more than 100Mb, the best solution would be to send the mail in more than one batch. You can do the second one immediately after the first one – the only important thing is that you don’t try and send all the emails in one go.



NOTE.
In the event that someone is sending a very large email to a very large number of people and not sure how to approach it then please discuss the issue with IT. It may be possible to temporarily increase limits is some cases. However, for security and performance reasons we don’t want to leave the limits too high all the time.

Can someone with this experience help?

Thank you!

Stijloor.
 
C

chris02 - 2011

Thanks for looking all,

I have manged to come up with some guidelines, detailed below should anyone need help on this in the future.

Guidance on the use of Bulk Email


Bulk Email should be sent from a verifiable email account. Registration of email accounts should be controlled by the IT department with email recipients being able to verify the owner of the email address by contacting the organisation concerned.

Bulk Email being sent using Blind Carbon Copy (Bcc) functionality. When replying to a Bulk Email, a user may intentionally or unintentionally use the Reply to All option which would result in a second Bulk Email . This type of scenario has a tendency to lead to additional replies. Multiple replies to a Bulk Email can overwhelm an email system and be a nuisance to users. Leveraging Blind Carbon Copy functionality eliminates this risk and helps protect the privacy of recipients. In situations where a separate email is generated for each recipient, use of Blind Carbon Copy functionality is not necessary.

Bulk Email should have a Subject that clearly defines the purpose of the email. Ambiguous subject lines make it difficult to differentiate between legitimate emails and spam or phishing emails. As a result, an email may be inadvertently ignored or deleted. Unnecessary tags, such as RE and FWD, should also be avoided.

Avoid sending attachments in Bulk Email. Email attachments are a common tool for propagating computer viruses. As a result, some users are hesitant to open unexpected attachments. Senders of Bulk Email should consider posting files to their own hosted website and then providing instructions in the email on how to download the file. This provides some measure of authenticity. Sending large attachments to multiple recipients can also create unnecessary load on email servers.

Avoid hyperlinks to third-party websites. Spam and phishing emails often include hyperlinks to malicious websites. As a result, recipients may be hesitant to click on a hyperlink even in an email that appears legitimate. Similar to attachments, posting third-party hyperlinks to an organisations hosted website provides some measure of authenticity.

Consider sending Bulk Email to a public distribution list(s) when available. Distribution lists allow a user to create filters to better sort and manage their emails. In some cases, distribution lists also allow a user to customise how they receive emails.
 
M

Meatgrinder

Does anyone have any best practice policies towards the use of 3rd party email sending services like MailChimp or Constant Contact?

Thanks
~Stephen
 
Top Bottom