|
Work item:
|
X.sg-ressso
|
|
Subject/title:
|
Security guidelines for reporting email security status to security operations
|
|
Status:
|
Under study
|
|
Approval process:
|
AAP
|
|
Type of work item:
|
Recommendation
|
|
Version:
|
New
|
|
Equivalent number:
|
-
|
|
Timing:
|
2027-04 (Medium priority)
|
|
Liaison:
|
-
|
|
Supporting members:
|
-
|
|
Summary:
|
This document presents standard guidelines for configuring email security status dashboards and reports. In summary, security systems and operations managers should be able to understand the organisation's email security posture through the following information:
- Understand the total volume of inbound and outbound emails during a specific period and the proportion of those emails classified as threats. For example, it should show briefly how many of the emails received daily were blocked as spam and how many were detected as malicious.
- Categorise detected email threats such as malware, phishing (social engineering), spam, and data leakage attempts, indicating how many instances of each were detected and/or blocked. This allows for the identification of currently prevalent attack types.
- Present threats originating from external sources separately from threats originating from internal users. For example, it should separately aggregate and display inbound malicious emails (e.g., malicious attachments, URL link attacks) and outbound attempts at internal data leakage or instances of compromised account exploitation.
- Visualise patterns such as whether spam and/or phishing attempts are increasing over time or whether attacks are concentrated on specific months or days of the week. Additionally, the overall security status can be represented by summary indicators such as risk scores or trust indices.
- Along with summaries of detected threats, it should inform administrators of security operational concerns, for example, "Targeted attacks concentrated on a specific employee account", "New malicious URLs discovered in a large number of emails". This allows administrators to consider further responses or policy improvements.
By providing the above information in the form of dashboards, periodic reports, and real-time alerts, security systems and administrators can clearly understand the email security situation and make rapid response decisions. The following sections detail the specific security data elements, classification criteria, and representation methods to achieve these guidelines.
|
|
Comment:
|
-
|
|
Reference(s):
|
|
|
Historic references:
|
|
Contact(s):
|
|
| ITU-T A.5 justification(s): |
|
|
|
|
First registration in the WP:
2025-04-16 16:56:07
|
|
Last update:
2025-04-17 12:16:15
|
|
