Communications security control procedure

Contents

• Policy statement
• Audience
• Control statements
• Compliance
• Related documents

Policy statement

This control procedure defines the university’s approach to communications security, and directly supports the following policy statement from the Information Security Policy:

“The university will maintain network security controls to ensure the protection of information within its networks, and provide the tools and guidance to ensure the secure transfer of information both within its networks and with external entities, in line with the classification and handling requirements associated with that information.”

“The university will provide guidance and tools to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and integrity of information and systems.”

Audience

This procedure is intended to be read and understood by IT and digital and other staff who are responsible for the management of IT systems, and staff who may be engaging third parties and require descriptions or assurance around the university’s technical defences.

Control statements

• Email – blocking by content
• Email – blocking by attachments
• Email – encryption
• Email – authenticity
• Network – perimeter security
• Network – firewalling and segregation
• Network – remote access

Email – blocking by content

The decision to accept or reject email should be taken by the individual recipient. However, there are cases where the university will reject messages to protect the network or for policy reasons. This could include messages containing material that is threatening, abusive or otherwise unlawful, or which would be considered as coming under the classification of prohibited use under the Acceptable use control procedure. This blocking is done via email security appliances, managed by IT & digital.

It is very difficult to reliably identify incoming emails as ‘spam’. The university subscribes to services that help to identify such mailings, but these services cannot identify all spam. As such, they may occasionally falsely identify valid messages as being spam.

An incoming email which is identified as ‘spam’ will be subject to one of three actions based on a points score given by the email security appliance. The score is made up of numerous metrics and is dynamically updated constantly by the email security appliance vendor.

All emails entering the organisation will be tagged to inform our staff and students the email has originated from outside of Manchester Met. Tagged messages should be treated with caution: links should not be followed and attachments not downloaded unless the recipient recognises the sender and believes the content to be safe. 

An email that the system identifies as containing spam will be placed ‘on hold’ by the system. This will send a message to the user’s mailbox to notify them that a suspected spam message has been detected. Users may then follow the link to the email security gateway to delete any messages filtered in this manner, or allow them through if they would rather receive them. 

In the event the email contains malicious content, the email will be ‘blocked’. The email security appliance will block the message before it reaches the recipient(s) mailbox. In this instance, the recipient is not alerted to the presence of the message in any way. 

The university reserves the right to retrospectively remove any emails which have been delivered to mailboxes that are deemed a security risk, at any time. 

Mail can also be tagged if the email security appliance detects that a sender is attempting to impersonate a staff member. This detection takes into account the sender’s display name, the email content, attachments and other key indicators. If the email is determined to be suspicious, a banner will be added to the email indicating the attempted impersonation.  

Email – blocking by attachments

The university also reserves the right to reject certain types of email attachments to prevent the spread of malware. If the central mail gateway receives an email with any of these attachment types, it will be returned to the sender with an explanation as to why it has been rejected.

The message of rejection will invite the sender to liaise with the recipient about alternate means of transfer, or to re-send the mail with the offending attachment in a safer format.

The blocked file types include, but are not limited to:

• .vbs
• .vbe
• .wsh
• .wsf
• .js
• .jse
• .exe
• .com
• .bat
• .wcm

Email – encryption

The Information Classification Scheme recommends protecting the content and/or attachments of emails based on the classification of the data.

Exchange Online provides two encryption features – encrypt only and do not forward. Guidance on both options is available on the IT & digital website. 

For users who require secure communications with public sector bodies (such as HM Government, the NHS or the Police) the University can utilise the Criminal Justice Secure Mail system. Ask the Information Security team for more details. 

Email – authenticity

The university actively checks the legitimacy of the origin of inbound mail using SPF monitoring. SPF checking verifies the sending server of any given email is referenced as authorised by the domain owner.

Should an email fail an inbound SPF the email security appliance will ‘tag’ this message as potential spam. Staff should treat these messages with caution as with any other ‘tagged’ message. The University does not currently process mail based on DKIM or DMARC signing due to the less mature nature of these tools providing numerous false positives. This policy is assessed at regular intervals.

We also operate an up-to-date outbound SPF record, providing assurance for external recipients on the authenticity of the university-designated sending servers. The University also have plans to develop outbound mail signing by incorporating DKIM alongside SPF to form a full DMARC chain. It should be noted that signing a message with SPF, DKIM or DMARC does not directly influence the deliverability of the message - this is dictated by the configuration of the recipient’s mail server and/or email security appliance as well as its behaviour, depending on the presence of these flags.

Network – perimeter security

The university deploys next-generation perimeter firewalling with botnet filtering. In addition, IPS provides a deep-packet inspection feature that mitigates a wide range of network attacks. In the event of an actual or suspected attack, it helps pinpoint the source of the attack and take the appropriate action such as alerting staff or dropping the connection in real time.

Web filtering is in place to block access to malicious destinations before a connection is established, using constantly updated signatures. Access to malware, ransomware, phishing and command & control callbacks over any port or protocol are blocked before threats reach us. This service also permits the blocking of categories or protocols of web traffic where the Information Security team requires this.

Network – firewalling and segregation

Most virtual machines on the server estate are effectively firewalled using the network virtualisation platform. So east/west traffic between virtual machines has to be explicitly permitted - both on the outbound from the source and inbound at the destination. VMs can be grouped together where shared ports/protocols exist and a standardized naming scheme can ensure virtual machines can be online, using a comprehensive list of firewalls rules in a matter of seconds once built by the server team.

North / south traffic from outside the virtual environment has to be permitted further through an internal firewall cluster and, in some cases, again on the destination host. This permits high granularity in traffic permissions such as IP, hostname, subnet, etc.

Wi-Fi secure access policies ensure we can control policies to the end user depending on who the user is and whether they connect to a managed or their own device.

Perimeter and internal firewall rules are formally reviewed by the IT & digital Infrastructure and Operations teams on an annual basis.

Network – remote access

Remote access options are detailed in the Information Security Control Procedure –Mobile and Remote Access. 

Compliance

Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure. 

Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.

Related documents

This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.

Browse Information Security policies and control procedures

Review

A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.