Docstoc

Broadcast_Email_Guideline

Document Sample
Broadcast_Email_Guideline Powered By Docstoc
					                                               InfraGard Connecticut
                                             Broadcast Email Guideline
                                                     Prepared by
                                                    Jacob Epstein
                                                   August 1, 2004

                                                    PRELIMINARY

Overview:

      Email is an imperfect vehicle for sharing critical information. As the result of various techniques being employed
      that in worst case scenarios empower criminals and terrorist to use email to transport malware to unsuspecting
      users, email messaging of critical information as transported for InfraGard Connecticut must be accurate,
      verifiable and delivered in a timely manner.

      Although various initiatives and projects have been proposed or are works in process that assist obtaining these
      goals, replicating email messages on the IGCT WEB site solves the challenges listed above.

      A key question raised by members over the years is “How can we trust email when it is easy to spoof
      addresses?”. An answer is signing and encrypting messages. This approach has proven unsatisfactory for
      InfraGard because only a small percentage of members and elected officials use a standard approach to digitally
      sign email such as PGP or PKI certificates.


SSL WEBSITE

      The entire InfraGard WEB site runs under a Digital Certificate. IGCT members and the public that visit the site,
      view information under Secured Socket Layer, SSL, as indicated by the root URL for the site at
      https://secure.infragard-ct.org. This enables any user to verify that they are connected to the official site for
      InfraGard Connecticut.

      The current InfraGard WEB site has been security hardened and IGCT members and content administrators can
      only gain access to key areas of the site via a vetted process. Thus trust is relatively high that information as
      posted on the site is correct and accurate. A suite of content management tools has been implemented that assist
      in generating and proofing content in a timely manner.



Broadcast Email

      IGCT incorporates email listserv technologies to send broadcast email to members and other groups with in the
      organization. Although secured, there are inherent weaknesses in the system. As of this writing, these are being
      addressed by IGCT’s IT committee.

      Key and critical information as well as general information is sent via the listserve. As part of the process of
      highlighting critical information especially that flowing from the FBI and the Connecticut DHS, an “Alerts,
      Warnings, and Advisories” facility with front page access has been implemented on the WEB site. IGCT
      leadership is working towards mirroring all critical email using this and the general news reporting features on the
      site.

      I some cases, email broadcasts my include introductory information with a link provided to more thorough content
      published on the WEB site. This approach facilitate mail transfer especially when attachments may be required
      such as portable document files (.pdf). Advantages of this approach include smaller and more efficient text based
      emails that can traverse corporate mail filtering systems.

                                                           1
Procedure

       As a result of the challenges discussed above plus work on tools to expedite publishing, IGCT directs all
       members to check the WEB site for critical information. In many if not all cases, critical information broadcast to
       members will be posted to the WEB site for verification purposes and also to record and document
       communications.

       As leaders change and based on need, this procedure may not always be followed for all correspondence,
       however it is a goal that at the very least, the most critical and sensitive email broadcasts are also published on
       the WEB site.

Public and Private Information

       InfraGard Connecticut receives information vetted for Members only. Thus links and notices will be posted in the
       public domain so that the description and notification of information is quickly viewable on the home page.
       However, viewing the actual information cleared member review only will require that members use there email
       address and password to gain access to the information.

       As of this writing, members are still undergoing the vetting process requiring an FBI background check. Once the
       grace period is complete, only new and renewed members will have access to this information.

       Thus it is important that members have tested and regularly use private areas of the WEB site so that they retain
       access to critical but private information.




                                                             2