BİM.PR.18 — Email Security and Privacy Procedure
| Document No | BİM.PR.18 | Version | 1.0 | Initial Release | 26.04.2026 |
|---|---|---|---|---|---|
| Owner Group | System and Server Management + Network and Security Group | ||||
| Approved by | Mehmet ARARAT — IT Director | ||||
| Legal Approval | Legal Counsel (for privacy clauses) | ||||
| Legal Basis | KVKK Art. 5, Art. 12 · Law No. 5651 · TCK Art. 132–138 · Labour Law (privacy) · ISO/IEC 27001:2022 A.8.20 / A.8.21 · BİGDES | ||||
| Related Documents | KYS.POL.01 P04 (Email), P33 (Incident Breach), KYS.POL.03, KYS.POL.05, BİM.PR.10, BİM.PR.16, BİM.PR.17, BİM.PR.24 |
1. Purpose and Scope
This procedure has two objectives:
(A) Technical security: Defines the anti-spam, anti-phishing, authentication (SPF/DKIM/DMARC), and incident response standards for the corporate email infrastructure (Google Workspace).
(B) Privacy and access discipline: Ensures that the institution exercises the monitoring/access rights it reserves under KYS.POL.04 s.13 and P04 s.462 in a proportionate, auditable, and written framework with respect to users’ email content. It protects both institutional and individual rights.
2. Domain Protection (Technical)
| Mechanism | Configuration | Purpose |
|---|---|---|
| SPF | Authorised SMTP IP list in DNS TXT, ~all (soft fail) |
Spoofed sender detection |
| DKIM | 2048-bit RSA signing, key rotated every 6 months | Message integrity |
| DMARC | Initial phase p=quarantine + reporting enabled → p=reject after 6 months |
Phishing prevention |
| MTA-STS | Mode enforce, max-age 86400 |
TLS enforcement |
| TLS-RPT | Reporting active | TLS failure tracking |
3. Anti-Phishing and Anti-Malware
- External emails automatically display a “This email was sent from outside the organisation” warning banner
- Google Workspace security sandbox + anti-malware applied automatically (cannot be disabled by users, P05 s.485)
- Attachment type restrictions:
.exe, .bat, .vbs, .scr, .js, .iso, .lnkare blocked - Password-protected archives (.zip with password) require admin approval
- Users report suspicious emails via Gmail “Report phishing” button → automatic BIM trigger
4. Privacy Principle — “BIM Means Privacy”
Hasan Kalyoncu University BIM accepts respect for the personal nature of corporate email content as a fundamental principle. Apart from automated technical scanning, no human access to email content is made — notwithstanding the institution’s reserved rights — except in compliance with the following proportionate procedure.
5. Automated Scanning (No Human Intervention)
- Anti-malware, anti-spam, and anti-phishing are performed by automated systems.
- When a threat signature match occurs, the system generates an alert; the alert itself is not opened or read by any human — it is automatically quarantined.
- Automated scanning data is not stored as personal data; it only generates statistics.
6. Manual Review (Human Access)
Manual email content review is performed only when all four of the following conditions are met:
- Written request: Official written request (Rector’s Office, General Secretariat, Legal Counsel, or judicial authority). Verbal/telephone requests are not accepted.
- Legal justification: The requester provides a specific written justification (ongoing administrative/disciplinary/legal investigation; legal obligation under KVKK Art. 5/2-ç; legitimate interest).
- Senior authority approval: IT Director (Mehmet ARARAT) + Legal Counsel provide dual-signed written approval. The approval incident record is shared with
kvkk@hku.edu.tr. - Minimum scope: Review is limited to the scope required by the request (e.g. only a specific date range/keyword). Copying the entire mailbox is prohibited.
7. Notification
The data subject is informed that a review has taken place to the extent permitted by the legal basis. If investigative confidentiality requires it, notification is deferred until the conclusion of the investigation; if deferred, the reason is recorded in writing.
8. Records and Retention
Every manual access is logged as request–approval–implementation–outcome; log is retained for 5 years (KYS.POL.05 + BİM.PR.24). Logs are maintained in a WORM (write-once-read-many) environment against unauthorised access.
9. Policy and Rights Framework
Pursuant to KYS.POL.04 s.13 and P04 s.462, the University reserves its right to monitor corporate systems and access email content. This procedure ensures that the right is exercised in accordance with the proportionality principle (KVKK Art. 5/proportionality, Constitutional Court precedents, ECHR Barbulescu criteria); it does not conflict with the right in the policy but defines the framework for its exercise.
10. Incident Response
Upon detection of a phishing campaign:
- Affected users are identified from email filter logs
- Affected accounts are added to the mandatory password reset list
- Suspicious URLs are added to the global blocklist
- An incident report is summarised on the System Status page
- If a KVKK Art. 12 personal data breach is suspected, notification to the Personal Data Protection Authority within 72 hours
11. Violations
KYS.POL.04 s.55 and P33 (Incident Breach). Disciplinary proceedings will be initiated for BIM staff who access email content outside this procedure.
12. Entry into Force
26.04.2026; revised every January/July (in coordination with KVKK Commission + Legal Counsel).
Hasan Kalyoncu University · IT Directorate
Osmanlı Mah. Havaalanı Yolu Üzeri 8. Km 27010 Şahinbey/Gaziantep
444 6 458 · destek@hku.edu.tr · destek.hku.edu.tr · portal.hku.edu.tr
KEP: hasankalyoncu.unv@hs01.kep.tr