Email Security Guidelines

IT & Security Security Policies Last reviewed: 2025-09-05 Owner: IT Security Team

Purpose

Email is the primary communication tool at Global Bank and one of the most targeted channels for cyber attacks. These guidelines establish the security standards for using corporate email to protect the bank's information assets, maintain client confidentiality, and comply with regulatory requirements.

Policy Reference: IT-SEC-006
Effective Date: 1 February 2025
Review Date: 1 February 2026
Applies To: All employees, contractors, and third-party users with a Global Bank email account

General Principles

  • Corporate email accounts (username@globalbank.com) must be used exclusively for business-related communications.
  • Personal email accounts (Gmail, Outlook.com, Yahoo, etc.) must never be used to send or receive corporate data.
  • All emails sent from Global Bank accounts are the property of the bank and may be monitored, archived, and audited in accordance with regulatory and legal requirements.
  • Emails are retained for a minimum of seven years in the compliance archive, in line with FCA and PRA recordkeeping requirements.

Sensitivity Labels

All outgoing emails must have a Microsoft Information Protection (MIP) sensitivity label applied. Outlook will prompt you to select a label before sending if one has not been applied. The available labels are:

LabelWhen to UseControls Applied
PublicInformation approved for external distributionNo additional controls
InternalGeneral internal communicationsWarning if sent externally
ConfidentialSensitive business or client dataEncryption in transit; no auto-forwarding; DLP scanning
RestrictedHighly sensitive data (board papers, M&A, credentials)Full encryption (at rest and in transit); restricted forwarding; DLP block on external send without CISO approval

Sending Emails Externally

Internal and Public Data

Emails containing Internal or Public data may be sent to external recipients without additional approval. However, employees should exercise judgement and only share information that is necessary and appropriate.

Confidential Data

Emails containing Confidential data may be sent externally only if:

  • The Confidential sensitivity label is applied.
  • The recipient has a legitimate business need to receive the information.
  • The email is encrypted using Microsoft 365 Message Encryption (automatic when the Confidential label is applied).
  • Large files are shared via the secure file sharing portal (secureshare.globalbank.com) rather than as attachments.

Restricted Data

Restricted data must not be sent via email to external recipients except with prior written approval from the CISO. If approved, the Restricted label must be applied, and the email must be sent using S/MIME encryption with the recipient's verified certificate.

Data Loss Prevention (DLP)

Global Bank deploys automated Data Loss Prevention rules that scan outgoing emails for:

  • Credit card numbers, bank account numbers, and sort codes
  • National Insurance numbers and Social Security numbers
  • Passport numbers and other government-issued identification
  • Large volumes of client personal data
  • Keywords associated with insider trading or market abuse

If a DLP rule is triggered:

  • Low severity: You will receive a policy tip in Outlook advising you to review the email before sending. You may override the tip with a business justification.
  • Medium severity: The email will be sent but a copy will be forwarded to the Compliance team for review.
  • High severity: The email will be blocked. You will receive a notification explaining why. If you believe the block is in error, contact the IT Security Team.

Email Attachments

  • Do not send executable files (.exe, .bat, .cmd, .ps1) via email. These will be automatically blocked by the email gateway.
  • Compress and password-protect attachments containing Confidential data. Communicate the password via a separate channel (e.g., phone call or Teams message).
  • For files larger than 25 MB, use the secure file sharing portal rather than email attachments.

Auto-Forwarding

Automatic forwarding of corporate email to external email addresses is prohibited and blocked by Exchange Online transport rules. Auto-forwarding to personal email accounts constitutes a data breach and will be reported to the Data Protection Office.

Email Signature

All employees must use the standard Global Bank email signature template, which includes the required legal disclaimer and confidentiality notice. Signature templates are automatically applied by the email gateway. Do not modify or remove the disclaimer.

Reporting Suspicious Emails

If you receive a suspicious email, use the Report Phishing button in Outlook or forward the email as an attachment to phishing@globalbank.com. See the Phishing Awareness and Reporting article (IT-SEC-002) for detailed guidance.

Contact

  • IT Security Team: itsecurity@globalbank.com | Ext. 2200
  • Compliance Team: compliance@globalbank.com | Ext. 2400
  • IT Service Desk: servicedesk@globalbank.com | Ext. 2000

Related Articles

Clean Desk Policy

Policy requiring all employees to secure sensitive documents and materials at their workstations, ensuring a clean desk at the end of each working day.

Updated 2025-06-15

Data Classification Policy

Policy defining the four data classification levels at Global Bank, along with handling requirements, labelling standards, and storage rules for each level.

Updated 2025-10-01

Password Policy and Best Practices

Mandatory password requirements for all Global Bank systems, along with best practices for creating and managing strong, secure passwords.

Updated 2026-01-10