messaging and collaboration standardsicta.go.ke/pdf/messaging-collaboration.pdf · social media it...
TRANSCRIPT
Messaging and Collaboration Standards
FRANCIS MWAURA
Outline
Infrastructure and Universal Access to
1. Introduction2. Issues 3. The Domain4. Sub-domains5. Scope, Target areas, References6. General Requirements
Introduction
1
Messaging and Collaboration is the use of tools that deliver e-mail, calendaring, file sharing and other products for sharing information and supporting collaborative work.
2E-mail and other personal information management resources can be accessed with desktop clients, mobile devices and web clients.
3
This standard seeks to enforce policies to govern how communication is carried out between various stakeholders with a view of making it more convenient, efficient and lawful.
4Messaging and collaboration is a critical component of the GEA and it forms part of the application architecture layer
Issue
Infrastructure and Universal Access to
• Organisations are becoming both mobile and collaborative.
• This brings challenges on how data is passed across from one user to another.
• Its therefore important for government (huge workforce) to enforce policies to govern how communication is carried out between various stakeholders with a view of making it more convenient, efficient and lawful.
•
ISSUE
Issue
Infrastructure and Universal Access to
Employees and citizens are using mobile devices to communicate in new and innovative ways that can really benefit MCAs. However, with this communication comes new risks that can damage personal reputations and cast your organization in a negative light.Some of these risks and concerns include:
RISKS
• Bullying• Discrimination• Loss of productivity
Regulations• Harassment
• Financial loss• Financial loss• Potential litigation• Data leakage• Electronic records
retention & production
E-mailSocial
Media & Instant Messaging
E-mail and Collaboration DomainS
Collaborationtools
Sub- Domains of Messaging and Collaboration
Sub- domain 1
Target Areas
Technology and Platform Acceptable useOfficial Private
Naming Conventions
ReferencesCIO 2106.1 GSA
Sub-domain 2 Sub-domain 3
Sub- domains
E-mailSocial media and instant messaging
Collaboration tools
Sub- domain 1
Target Areas
Social Media Policy Acceptable usePrivacy and CopyrightTypes of media tools
ReferencesCIO 2106.1 GSA
Sub-domain 2 Sub-domain 3
Sub- domains
E-mailSocial media and instant messaging
Collaboration tools
Privacy
Infrastructure and Universal Access to
Once a message is sent using social media it may be irreversibly public.
All agencies should have a statement regarding data storage and privacy on social media profile to indemnify the agency against breaches when collecting records of social media
Copyright
Infrastructure and Universal Access to
• Some sites state in their terms of usage that content remains the intellectual property of individual or entity that posts the content –Facebook and Twitter
• Other sites assert copyright over content posted on their platform –need to verify copyright remains with the crown
Training staff
Infrastructure and Universal Access to
Different communications tools carry different levels of risk
Develop and communicate social media policy
Ensure staff understand that some records are not suited to a social media environment social media usage policy states the purpose of each application use for the agency
Sub- domain 1
Target Areas Collaboration GuidelinesAcceptable useSoftwareCollaboration toolsDevicesOrganization devices/Bring Your Own Device (BYOD) management Video and audio conference facility
ReferencesRFC 1324
Sub-domain 2 Sub-domain 3
Sub- domains
E-mail Social media Collaboration tools
Principles for Collaboration Systems
Collaboration Principles
Infrastructure and Universal Access to
Interoperability: Several standards – e.g. H323, T120, SIP, Access Grid – which are inconsistent with themselves and with modern Web standards
Integration: Integrate all forms of collaboration – instant messenger, audio-video conferencing, application sharing
Life-cycle costs: commodity software components usage
Extensibility: Interfaces defined for adding new capabilities
Legacy: Support existing relevant infrastructure Network Quality of Service: communication
links are dynamic and of variable quality and bandwidth.
Collaboration Issues to be addressed
Infrastructure and Universal Access to
Performance: Allow maximum performance with given network with no unnecessary client or server overheadsFault Tolerance: Fault tolerant session control Security: Support multiple levels of security for clients, servers and communication trafficScalability: Current systems are often limited by architecture or implementation (such as a single server) in number of simultaneous participantsPervasive Access: Need to support wide range of clients from hand-held devices to sophisticated desktop system.Ease of Use: Simple web portal interface; no special hardwareArchiving: Universal mechanism for archiving collaborative sessio
Description of the standardAs much as Byod might help government save costs and increase productivity, there is need to manage the use of personal devices. This standard specifies that:use of personal devices will have to be approved by the IT department of government;Personal devices will be installed with government encryption softwares to limit transfer of government data to an authorised entities; andpersonal devices will have updated antivirus and licensed softwares
(BYOD) management
Description of the standardCollaboration systems acquired by an MCA shall:- Enable a single sign on to all the services. Support Features such as email messaging, IP telephony, instant messaging, personal voice service, conference call services, data conference services, document and file sharing, collaborative document and file sharing, forums, data conferencing (sharing of a white board), short message service, chat, internal bulletin, address book, video and single sign-on. Integrate with existing directory systems for access to contact information. Enable grouping of users.
Collaboration Software Functionality
Description of the standardCollaboration systems acquired by an MCA shall:-Provide electronic group calendaring and scheduling. Project management systems to schedule, track project as it is being completed. Workflow systems to manage the collaborative flow of documents and tasks. Intranet portal integration. Support different client operating platforms. Support common standards for interoperability with collaboration systems in other MCAs. Support email push to mobile devices.
Collaboration Software Functionality
Sub- domain 1
Target AreasE-mail policy
E-mail softwareE-mail SecurityE-mail naming conventionsAcceptable usage of E-mailOrganization devices/Bring Your Own
Device (BYOD) management Email and IM Systems Procedures for Email Setup
Scope:E-mail based communication in MCAs
ReferencesRFC 3696RFC 5322RFC 6530
Sub-domain 2 Sub-domain 3
Sub- domain-E-mail
E-mail Social media and InstantMessaging
Collaboration tools
Email Policy Each MCA is required to come up with an email
policy and should cover legislative requirements, business requirements and the rights of an individual;
There is a common misconception that email messages constitute an ephemeral form of communication, this could result in legal action being taken against [organisation] or individuals.
All email messages are subject to Data Protection and Freedom of Information Legislation and can also form part of the corporate record. Staff should be aware that email messages could be used as evidence in legal proceedings
Description of the standardMCA‟s shall ensure that all corporate email software solutions acquired provide for:-Sending of group emails Creation of mailing lists from the server. Email search and retrieve. Creation of email folders. Email archiving. Scalability- to cater for growing number of users.Global address book for all registered users. Sending email attachments of at least 5MB.
E-mail Software
Description of the standardAppending of a Digital Signature. Formatting of e-mail messages (Text formatting, appending of graphics). Email Account management. Security; Real-time spam and Junk mail filtering, password management and client/server system patching Adequate disk quota for all email users. Back up of user mailboxes. Push to email support for mobile devices. The protocols supported by email shall include but not limited to SMTP, MIME, POP3, IMAP4, LDAP version 3, , SSL , TLS and Secure MIME.
E-mail Software
Description of the standardThis standard establishes the guideline for the naming of email accounts and the file storage associated with these accounts. These standards should apply to all staff in the MCAs who use email system for communication. Email naming will follow the following conventions:(1) the email account will be composed of first name and last name e.g.. [email protected], where xxxx is the name of the MCA; and(2) The naming criteria will be consistent and uniform for all staff in a particular MCA.
E-mail-Naming
Description of the standardThis standards calls for a guideline to govern the account set up process for staff.MCAs should develop specific guidelines for setting up email account .This guideline should be based on:(1) Defining the responsible personnel to initiate email account acquisition/application (2) Naming convention is as per the standard;(3) The email extension should reflect the correct MCA;(4) Clear defined Service level (5) The approval hierarchy (workflow process)
Procedures for Email Setup
Description of the standard(5) MDAs email account will be used for work related purposes (official use)(6) There will be user guidelines for acceptable use (7) Mail capacity will be restricted to 300 MB. For more space an application should made through the relevant authorities for approval; and(8) a maximum file size of 4MB will be allowed to be sent at a time.
Procedures for Email Setup
Description of the standardThe standard specifies that:(1)An acceptable Usage of Email policy must be drawn up and implemented throughout the MDAs;(2) MCA‟s shall ensure that all users within their organizations are supplied with an email address. Once a user has left ensure user account is disabled.(3) Effective security and awareness training must be conducted(4)MCA e-mail accounts should be used for only Government-sanctioned communications
E-mail Usage
Description of the standard(5)All emails sent will always have a disclaimers to dissociate the government and identify the actual sender of email contents;(6) All email to be digitally signed by the sender to enhance non-repudiation;(7) Emails access application will be password protected and passwords will be changed after every 30 days;(8) Email access applications will be configured to automatically lock after 10 minutes when in idle status;
E-mail Usage
Email Security
Threats to E-mail
Infrastructure and Universal Access to
Loss of confidentiality.• E-mails are sent in clear over open
networks.• E-mails stored on potentially
insecure clients and mail servers.Loss of integrity.
• No integrity protection on e-mails; anybody can alter in transit or on mail server.
Threats to E-mail
Infrastructure and Universal Access to
Lack of data origin authentication.• Is this e-mail really from the person
named in the From:field?Lack of non-repudiation.
• Can I rely and act on the content? (integrity)
• If so, can the sender later deny having sent it? Who is liable if I have acted?
Threats to E-mail
Infrastructure and Universal Access to
Lack of notification of receipt.• Has the intended recipient
received my e-mail and acted on it?
• A message locally marked as ‘sent’ may not have been delivered.
Description of the standardE-mails shall be archived legally and accessed for legal services.Security of email servers shall at all times be enforced.As minimum, MCAs shall: Email transmission is secured through the use of encryption technology such as SSL or TLS among others. All updates, patches, service packs and any other software update packages must be applied on a timely basis on relevant servers and workstations Adequate disaster recovery plans must be in place for email services
Procedures for Email Security
Description of the standardEncryption of devices.Securing the operating system underlying a mail servernetwork protection mechanisms, such as firewalls, routers, switches, and intrusion detection and intrusion prevention systemsSecuring mail clientsAdministering the mail server in a secure manner, including backups, anti-virus firewalls,security testing, and log reviews.
Procedures for Email Security
Description of the standardSecure the server to client connections (easy thing first) https access to webmailProtection against insecure wireless accessSecure the end-to-end email delivery The Pretty Good Privacy (PGPs) of the world Digital signatures, Organizational PKI—digital
cert Other defunct standards: PEM (privacy
enhanced mail), (Secure/Multipurpose Internet Mail Extension) S/MIME, IETF. Requires users have public keys for secure com
E-mail security Best practice
THANK YOU
© 2007 IBM Corporation36