Email Security
Policy
Employees and contractors should be aware of the security implications of email communication, for instance:
- Users should be aware that email may not originate from the person it purports to come from and use care in responding to it.
- Sensitive information like passwords and IDs should not be communicated by email.
- Avoid sending sensitive files as email attachments.
- Share Dropbox files using Dropbox's recommended protocols.
Scope
This policy applies to Lullabot employees and contractors.
Compliance
Each individual is expected to use caution in any email they initiate or receive, and help monitor and remind others of potential security vulnerabilities of any email threads they are included in.
Explanation and Implementation
Avoid sending sensitive information in email, including:
- Passwords
- Server credentials
- Private keys
- Government issued IDs (Social Security numbers, etc.)
- Other private credentials or IDs
Secure methods for communicating sensitive credentials or information include:
- Using a shared vault in 1Password.
- Verbally exchange information on video or phone.
- In BambooHR for HR-related confidential information.
- For clients without a password manager or the expertise to use encryption, use 1Password links to manage items and their access.
Be conscious of the fact that email might be intercepted or viewed by people other than the intended recipients, so don’t attach sensitive files to emails.
Dropbox is a secure way to share some types of information, but be aware of the best ways to use it:
- Use Dropbox's file sharing protocol to control access to files and folders that need to be shared, and to share them securely.
- Dropbox links may be accessible by anyone who has the link, so use the "share" process rather than copy/pasting Dropbox links in email.
- Note that Dropbox allows things to be shared ‘read-only’. Use the principle of minimum required access and only offer write access if required.
- Consider encrypting the files before uploading them to Dropbox. Dropbox does not provide meaningful encryption of files by default.
- For clients and external vendors without their own solutions, Dropbox File Requests can be used to ask for files.
Everyone should be aware that email they receive may not originate from the source it purports to come from. A common threat is phishing, an attempt to obtain sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity. All email requests for sensitive information should be verified independently, not by using links or phone numbers included in the email, but instead using previously-vetted contact information to call or contact the person to confirm the request.