Information transfer could occur between colleagues, across networks, between divisions within an organisation, across borders or to third party processors – or a mixture of all of these. Information needs to be managed by way of its integrity and confidentiality at all times according to risk assessment to prevent any loss, theft or corruption. Depending upon the nature of sender and recipient, the data transfer may be subject to legal requirements.
Policies and procedures should exist should reflect the organisations requirements and should include protection from interception, copying, modification, mis-direction or destruction. This should be backed up by acceptable use policies, a policy covering attachment handling, the use of encryption and any pseudonymisation of data (see GDPR).
Retention and disposal guidelines should be established by information asset owners see media handling. Controls should be considered to cover automatic forwarding to external addresses, not leaving confidential information where it could be discovered / intercepted by third parties eg answerphones or faxes.
Furthermore confidential conversations should take place in a secure environment.
Information transfer should comply with legal requirements – for example EU-US Privacy Shield (formerly Safe Harbour). Agreements should exist between information exchange parties to ensure responsibility/liability, traceability, technical standards, escrow, courier requirements, labelling, encryption, chain of custody and access controls.
Like other information assets the email system should be risk assessed and appropriate controls applied to maintain CIA, consideration should be given to the use of electronic signatures, use of authentication/encryption within public networks, and the use of social or filesharing networks.
Confidentiality / Non-disclosure agreements
These should be applicable to both internal and external individuals with access to the organisations’ information assets. The agreements should cover the nature of the information, duration of the agreement, termination procedures, responsibilities and ownerships, permitted use, the right to audit, processes to cover reporting of an breach/leak, return/destruction. An example could be emails sent from an employees, in the absence of a right to audit, management could not access the employees email.