Purpose

The purpose of this standard is to establish secure guidelines for managing M365 email security. Phishing and malware are two of the most prevalent and highest risk security threats to the University with attackers attempting to propagate malware and execute account compromise attacks on a daily basis. Malware and compromised accounts can spread quickly across networks and cause severe damage.

By implementing this standard, the University seeks to formalize and document controls to address the threat of phishing and malware for email services.

Scope

This standard applies to all M365 email services used for University-related activities, including vendor management of these services.

Standard

All user account¹ email must utilize the centrally-managed M365 email system² ("the system"). The M365 email system and its support teams ("teams") must meet the following criteria:

Management

1. The system must have an identified and documented functional owner.
2. The system must be managed and supported directly by a University IT team or through a partnership between a vendor and an IT support team.
3. The system must be searchable by administrators and information security personnel for compliance with court orders, Freedom of Information Acts (FOIA), security investigations, and other regulatory requirements.

Authentication

1. The system must utilize Sender Policy Framework (SPF), DomainKeys Identified Message (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) for email authentication and authorization, and correction action must be taken for failing emails.
2. The system must implement multifactor authentication for user accounts.
3. The system must implement multifactor authentication or IP-based restrictions for service accounts.
4. The system must block authentication and/or force reauthentication from suspected compromised accounts.

Security

1. The system must communicate with email clients using securely encrypted communications.
2. The system must tag email originating from outside the University system tenant with an external warning banner unless an exception is approved by the M365 Governance Committee.
3. The system must provide warning messages for first-time contact with external email senders.
4. The system must evaluate emails for phishing/spam/malware before and after delivery and take corrective action upon detection.
5. The system must perform URL filtering and block malicious links from external senders.
6. The system must implement send limits based on account role.
7. The system must evaluate attachments for malware and maintain a deny list of known malicious file types.
8. The system must maintain a block list of known malicious senders.
9. The system must implement spoofing protection to block impersonation attempts.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or accounts are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office (ISO) through the university’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• User account names associated with the exception request
• Email services affected by the exception
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The ISO will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. User Accounts for the purposes on this standard are defined as the use of email by individuals ("user accounts") as opposed to programmatic emails from services ("service accounts") or mass emails.
2. The Centrally-Managed M365 Email System is the primary and central Microsoft 365 system ("Exchange") utilized for email services.

Compliance

The Information Security Office will report on local administrator membership to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

NIST SP 800-171r3 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (nist.gov)

2024 Data Breach Investigations Report | Verizon

CIS Critical Security Controls Version 8 (cisecurity.org)

CIS Community Defense Model 2.0 (cisecurity.org)

https://www.usnh.edu/it/departments/cybersecurity/cybersecurity-policies-standards/email-security-standard

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

9.1 Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.

9.3 Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.

9.5 Implement DMARC: To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

9.6 Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.

9.7 Deploy and Maintain Email Server Anti-Malware Protections: Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.