Purpose
The purpose of this policy is to establish information security standards and related University policies for electronic mail (“e-mail”) use and e-mail processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.
Scope and Applicability This Policy applies to:
All e-mail services provided, owned, or funded in part or in whole by the University.
All Users and account holders of the University e-mail systems or accounts, regardless of intended use.
Definitions Underscored terms shall have the meaning ascribed to them herein, and shall have the same meaning when used in the singular or plural form or any appropriate tense.
Controlled Unclassified Information (CUI): US Federal Government or Contractor created information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty
Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.
Personally Identifiable Information (PII): An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:
A social security number;
A driver's license number, state identification card number, or other individual identification number issued by a state government unit;
A passport number or other identification number issued by the United States government;
An Individual Taxpayer Identification Number; or
A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.
User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.
Specific Use of Electronic Mail
E-mail services are extended for the sole use of University faculty, staff, students, and other authorized users to accomplish tasks related to and consistent with the University's mission. Any e-mail address or account assigned by the University to individuals, sub-units, or functions of the University is the property of the University.
E-mail users are required to comply with state and federal laws, University policies, and normal standards of professional and personal courtesy and conduct. Access to University e-mail services is a privilege that may be wholly or partially restricted by the University without prior notice and without the consent of the e-mail user: (a) when required by and consistent with applicable law or policy; (b) when there is a reasonable suspicion that violations of policy or law have occurred or may occur; or (c) when required to meet time-dependent, critical operational needs.
When a User's affiliation with the University ends, the University may attempt to redirect an e-mail to another internal University e-mail address for a reasonable period of time as determined by the University for purposes consistent with this policy and the University's mission. The University may elect to terminate the individual's e-mail account or continue the account, subject to approval by appropriate University supervisory and systems operational authority.
E-mail that contains Personally Identifiable Information (PII) or Controlled Unclassified Information (CUI) is only permissible for valid business reasons and appropriate security controls such as e-mail encryption must be taken.
Manual or Auto-forwarding UMGC specific e-mail from a University managed e-mail system to an external e-mail system is prohibited unless properly authorized by University department leadership.
Users are required to comply with University requests for access to and copies of e-mail records when access or disclosure is required or allowed by applicable law or policy, regardless of whether such records reside on a computer housed or owned by the University.
Using e-mail for illegal activities is strictly prohibited. Illegal use may include, but is not limited to obscenity; child pornography; threats; harassment; theft; attempting unauthorized access to data or attempting to breach any security measures on any electronic communications system; attempting to intercept any electronic communication transmissions without proper authority; and violation of copyright, trademark, or defamation law.
University e-mail services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, strain on any computing facilities or interference with others' use of e-mail or e-mail systems. Such uses include, but are not limited to, the use of e-mail services to:
Send or forward chain letters.
"Spam"; that is, to exploit listservs or similar systems for the widespread distribution of unsolicited mail.
"Letter-bomb"; that is, to resend the same e-mail repeatedly to one or more recipients.
University e-mail services may be used for incidental personal purposes provided that such use does not:
Directly or indirectly interfere with the University operation of computing facilities or e-mail services.
Interfere with the e-mail user's employment or other obligations to the University.
Violate this policy, or any other applicable policy or law, including but not limited to, use for personal gain, conflict of interest, harassment, defamation, copyright violation, or illegal activities.
E-mail messages arising from such personal use shall, however, be subject to access consistent with this policy or applicable law. Accordingly, such use does not carry with it a reasonable expectation of privacy.
The confidentiality of e-mail cannot be assured, and any confidentiality may be compromised by access consistent with applicable law or policy, including this policy, by unintended redistribution, or due to current technologies inadequate to protect against unauthorized access. Users, therefore, should exercise extreme caution in using e-mail to communicate confidential or sensitive matters, and should not assume that their e-mail is private or confidential.
Users are responsible for safeguarding their login credential (UserID) and password, and for using them only as authorized. Users are responsible for all e-mail transactions made under the authorization of their UserID.
Exceptions Exceptions to this policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.
Enforcement
Use e-mail in accordance with UMGC Policy X-1.12 Acceptable Use. Failure to adhere to this policy subjects you to the enforcement as outlined in the policy.
Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this policy should notify Information Security as soon as practicable.
Standards Referenced
USM IT Security Standards, v.5, dated July 2022
NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020.
Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021