Messaging and Collaboration Standards

FRANCIS MWAURA

Outline

Infrastructure and Universal Access to

1. Introduction2. Issues 3. The Domain4. Sub-domains5. Scope, Target areas, References6. General Requirements

Introduction

1

Messaging and Collaboration is the use of tools that deliver e-mail, calendaring, file sharing and other products for sharing information and supporting collaborative work.

2E-mail and other personal information management resources can be accessed with desktop clients, mobile devices and web clients.

3

This standard seeks to enforce policies to govern how communication is carried out between various stakeholders with a view of making it more convenient, efficient and lawful.

4Messaging and collaboration is a critical component of the GEA and it forms part of the application architecture layer

Issue

Infrastructure and Universal Access to

• Organisations are becoming both mobile and collaborative.

• This brings challenges on how data is passed across from one user to another.

• Its therefore important for government (huge workforce) to enforce policies to govern how communication is carried out between various stakeholders with a view of making it more convenient, efficient and lawful.

•

ISSUE

Issue

Infrastructure and Universal Access to

Employees and citizens are using mobile devices to communicate in new and innovative ways that can really benefit MCAs. However, with this communication comes new risks that can damage personal reputations and cast your organization in a negative light.Some of these risks and concerns include:

RISKS

• Bullying• Discrimination• Loss of productivity

Regulations• Harassment

• Financial loss• Financial loss• Potential litigation• Data leakage• Electronic records

retention & production

E-mailSocial

Media & Instant Messaging

E-mail and Collaboration DomainS

Collaborationtools

Sub- Domains of Messaging and Collaboration

Sub- domain 1

Target Areas

Technology and Platform Acceptable useOfficial Private

Naming Conventions

ReferencesCIO 2106.1 GSA

Sub-domain 2 Sub-domain 3

Sub- domains

E-mailSocial media and instant messaging

Collaboration tools

Sub- domain 1

Target Areas

Social Media Policy Acceptable usePrivacy and CopyrightTypes of media tools

ReferencesCIO 2106.1 GSA

Sub-domain 2 Sub-domain 3

Sub- domains

E-mailSocial media and instant messaging

Collaboration tools

Privacy

Infrastructure and Universal Access to

Once a message is sent using social media it may be irreversibly public.

All agencies should have a statement regarding data storage and privacy on social media profile to indemnify the agency against breaches when collecting records of social media

Copyright

Infrastructure and Universal Access to

• Some sites state in their terms of usage that content remains the intellectual property of individual or entity that posts the content –Facebook and Twitter

• Other sites assert copyright over content posted on their platform –need to verify copyright remains with the crown

Training staff

Infrastructure and Universal Access to

Different communications tools carry different levels of risk

Develop and communicate social media policy

Ensure staff understand that some records are not suited to a social media environment social media usage policy states the purpose of each application use for the agency

Sub- domain 1

Target Areas Collaboration GuidelinesAcceptable useSoftwareCollaboration toolsDevicesOrganization devices/Bring Your Own Device (BYOD) management Video and audio conference facility

ReferencesRFC 1324

Sub-domain 2 Sub-domain 3

Sub- domains

E-mail Social media Collaboration tools

Principles for Collaboration Systems

Collaboration Principles

Infrastructure and Universal Access to

Interoperability: Several standards – e.g. H323, T120, SIP, Access Grid – which are inconsistent with themselves and with modern Web standards

Integration: Integrate all forms of collaboration – instant messenger, audio-video conferencing, application sharing

Life-cycle costs: commodity software components usage

Extensibility: Interfaces defined for adding new capabilities

Legacy: Support existing relevant infrastructure Network Quality of Service: communication

links are dynamic and of variable quality and bandwidth.

Collaboration Issues to be addressed

Infrastructure and Universal Access to

Performance: Allow maximum performance with given network with no unnecessary client or server overheadsFault Tolerance: Fault tolerant session control Security: Support multiple levels of security for clients, servers and communication trafficScalability: Current systems are often limited by architecture or implementation (such as a single server) in number of simultaneous participantsPervasive Access: Need to support wide range of clients from hand-held devices to sophisticated desktop system.Ease of Use: Simple web portal interface; no special hardwareArchiving: Universal mechanism for archiving collaborative sessio

Description of the standardAs much as Byod might help government save costs and increase productivity, there is need to manage the use of personal devices. This standard specifies that:use of personal devices will have to be approved by the IT department of government;Personal devices will be installed with government encryption softwares to limit transfer of government data to an authorised entities; andpersonal devices will have updated antivirus and licensed softwares

(BYOD) management

Description of the standardCollaboration systems acquired by an MCA shall:- Enable a single sign on to all the services. Support Features such as email messaging, IP telephony, instant messaging, personal voice service, conference call services, data conference services, document and file sharing, collaborative document and file sharing, forums, data conferencing (sharing of a white board), short message service, chat, internal bulletin, address book, video and single sign-on. Integrate with existing directory systems for access to contact information. Enable grouping of users.

Collaboration Software Functionality

Description of the standardCollaboration systems acquired by an MCA shall:-Provide electronic group calendaring and scheduling. Project management systems to schedule, track project as it is being completed. Workflow systems to manage the collaborative flow of documents and tasks. Intranet portal integration. Support different client operating platforms. Support common standards for interoperability with collaboration systems in other MCAs. Support email push to mobile devices.

Collaboration Software Functionality

Sub- domain 1

Target AreasE-mail policy

E-mail softwareE-mail SecurityE-mail naming conventionsAcceptable usage of E-mailOrganization devices/Bring Your Own

Device (BYOD) management Email and IM Systems Procedures for Email Setup

Scope:E-mail based communication in MCAs

ReferencesRFC 3696RFC 5322RFC 6530

Sub-domain 2 Sub-domain 3

Sub- domain-E-mail

E-mail Social media and InstantMessaging

Collaboration tools

Email Policy Each MCA is required to come up with an email

policy and should cover legislative requirements, business requirements and the rights of an individual;

There is a common misconception that email messages constitute an ephemeral form of communication, this could result in legal action being taken against [organisation] or individuals.

All email messages are subject to Data Protection and Freedom of Information Legislation and can also form part of the corporate record. Staff should be aware that email messages could be used as evidence in legal proceedings

Description of the standardMCA‟s shall ensure that all corporate email software solutions acquired provide for:-Sending of group emails Creation of mailing lists from the server. Email search and retrieve. Creation of email folders. Email archiving. Scalability- to cater for growing number of users.Global address book for all registered users. Sending email attachments of at least 5MB.

E-mail Software

Description of the standardAppending of a Digital Signature. Formatting of e-mail messages (Text formatting, appending of graphics). Email Account management. Security; Real-time spam and Junk mail filtering, password management and client/server system patching Adequate disk quota for all email users. Back up of user mailboxes. Push to email support for mobile devices. The protocols supported by email shall include but not limited to SMTP, MIME, POP3, IMAP4, LDAP version 3, , SSL , TLS and Secure MIME.

E-mail Software

Description of the standardThis standard establishes the guideline for the naming of email accounts and the file storage associated with these accounts. These standards should apply to all staff in the MCAs who use email system for communication. Email naming will follow the following conventions:(1) the email account will be composed of first name and last name e.g.. Firstname.Lastname@xxxx.go.ke, where xxxx is the name of the MCA; and(2) The naming criteria will be consistent and uniform for all staff in a particular MCA.

E-mail-Naming

Description of the standardThis standards calls for a guideline to govern the account set up process for staff.MCAs should develop specific guidelines for setting up email account .This guideline should be based on:(1) Defining the responsible personnel to initiate email account acquisition/application (2) Naming convention is as per the standard;(3) The email extension should reflect the correct MCA;(4) Clear defined Service level (5) The approval hierarchy (workflow process)

Procedures for Email Setup

Description of the standard(5) MDAs email account will be used for work related purposes (official use)(6) There will be user guidelines for acceptable use (7) Mail capacity will be restricted to 300 MB. For more space an application should made through the relevant authorities for approval; and(8) a maximum file size of 4MB will be allowed to be sent at a time.

Procedures for Email Setup

Description of the standardThe standard specifies that:(1)An acceptable Usage of Email policy must be drawn up and implemented throughout the MDAs;(2) MCA‟s shall ensure that all users within their organizations are supplied with an email address. Once a user has left ensure user account is disabled.(3) Effective security and awareness training must be conducted(4)MCA e-mail accounts should be used for only Government-sanctioned communications

E-mail Usage

Description of the standard(5)All emails sent will always have a disclaimers to dissociate the government and identify the actual sender of email contents;(6) All email to be digitally signed by the sender to enhance non-repudiation;(7) Emails access application will be password protected and passwords will be changed after every 30 days;(8) Email access applications will be configured to automatically lock after 10 minutes when in idle status;

E-mail Usage

Email Security

Threats to E-mail

Infrastructure and Universal Access to

Loss of confidentiality.• E-mails are sent in clear over open

networks.• E-mails stored on potentially

insecure clients and mail servers.Loss of integrity.

• No integrity protection on e-mails; anybody can alter in transit or on mail server.

Threats to E-mail

Infrastructure and Universal Access to

Lack of data origin authentication.• Is this e-mail really from the person

named in the From:field?Lack of non-repudiation.

• Can I rely and act on the content? (integrity)

• If so, can the sender later deny having sent it? Who is liable if I have acted?

Threats to E-mail

Infrastructure and Universal Access to

Lack of notification of receipt.• Has the intended recipient

received my e-mail and acted on it?

• A message locally marked as ‘sent’ may not have been delivered.

Description of the standardE-mails shall be archived legally and accessed for legal services.Security of email servers shall at all times be enforced.As minimum, MCAs shall: Email transmission is secured through the use of encryption technology such as SSL or TLS among others. All updates, patches, service packs and any other software update packages must be applied on a timely basis on relevant servers and workstations Adequate disaster recovery plans must be in place for email services

Procedures for Email Security

Description of the standardEncryption of devices.Securing the operating system underlying a mail servernetwork protection mechanisms, such as firewalls, routers, switches, and intrusion detection and intrusion prevention systemsSecuring mail clientsAdministering the mail server in a secure manner, including backups, anti-virus firewalls,security testing, and log reviews.

Procedures for Email Security

Description of the standardSecure the server to client connections (easy thing first) https access to webmailProtection against insecure wireless accessSecure the end-to-end email delivery The Pretty Good Privacy (PGPs) of the world Digital signatures, Organizational PKI—digital

cert Other defunct standards: PEM (privacy

enhanced mail), (Secure/Multipurpose Internet Mail Extension) S/MIME, IETF. Requires users have public keys for secure com

E-mail security Best practice

THANK YOU

© 2007 IBM Corporation36