Email and Web Browser Protections

Body

Issue/Question

What is the USD security policy on Email and Web Browser Protections

Environment

  • CIS Controls 9

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity

Resolution

Email and Web Browser Protections

Policy Statement: The University recognizes the critical role of email and web browser protections in safeguarding its information systems against cyber threats. This policy establishes guidelines for implementing robust security measures to protect against phishing attacks, malware infections, and unauthorized access through email and web browsing activities.

Policy Implementation:

  1. Email Filtering and Security:

    • The University will deploy email filtering solutions to detect and block spam, phishing attempts, and malicious attachments before they reach users' inboxes.
    • Advanced threat protection mechanisms, such as anti-phishing detection, attachment sandboxing, and sender authentication, will be employed to enhance email security and block malware.
    • DMARC will be implemented with reject and/or quarantine.
    • Dangerous or unnecessary file types will be blocked.
  2. Email Encryption:

    • Email encryption will be implemented to protect sensitive information transmitted via email, ensuring confidentiality and integrity.
    • End-to-end encryption technologies, Microsoft 365 Message Encryption, will be used to encrypt email content and attachments.
  3. Web Browser Security Controls:

    • Web browsers used within the University environment will be configured with security controls to prevent exploitation of vulnerabilities and unauthorized access to web resources.
    • Browser security settings, including pop-up blockers, content filtering, and script blocking, will be enforced to mitigate the risk of drive-by downloads and web-based attacks.
    • Cloud access security tools will be used to block access to web applications deemed to be high risk.
    • DNS layer filtering and protection will be put in place.
    • Only authorized email and browser clients, extensions, plugins, and add-on apps will be allowed.
  4. Web Content Filtering:

    • Web content filtering solutions will be implemented to block access to malicious or inappropriate websites that may pose security risks or violate University policies.
    • Content filtering policies will be defined based on categories such as malware,  and phishing to enforce acceptable use of University resources.
    • Both endpoint and DNS based protection will be put in place.
    • URL filtering at the network and endpoint levels will be implemented
  5. User Awareness and Training:

    • The University will provide regular cybersecurity awareness training to educate users about email and web browsing best practices, including how to identify phishing attempts, recognize suspicious links, and report security incidents.
    • Training materials and resources will be made available to users to promote a culture of security awareness and proactive risk mitigation.

Compliance and Enforcement: Non-compliance with this policy may result in disciplinary action, including loss of access privileges, fines, or termination of employment. It is the responsibility of all members of the University community to adhere to this policy and actively participate in email and web browser protection measures.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of email and web browser protection controls.


This policy provides a comprehensive framework for implementing CIS Control 9 within the University environment, focusing on strengthening email and web browser protections to mitigate cyber threats and protect University resources.

Please contact the Service Desk if you need further assistance

ITS STAFF ONLY

  1. Follow Reviewing USD Security Policy Requests

Details

Details

Article ID: 8941
Created
Tue 3/5/24 9:36 AM
Modified
Mon 7/1/24 1:59 PM
KCS Article Status
WIP: Only Problem & some Environment captured
Not Validated: Complete & Resolution captured, confidence lacks in structure, content, no feedback
Validated: Complete & reusable, used by licensed KCS user, confidence in resolution & std. compliance
Validated

Related Articles

Related Articles (7)

A guide to avoiding legitimate University email landing in the Junk folder
How-to guide for encrypting email messages to USD, SDBOR, and external recipients
ITS has invested in KnowBe4 security awareness training to help our faculty and staff understand cyber attacks and phishing threats to themselves and the students that we all serve.