Electronic Mail

Electronic Mail

1. Purpose

   The purpose of this policy is to establish information security standards and related University policies for electronic mail (e-mail) use and e-mail processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

2. Scope and Applicability

   This Policy applies to:

   1. All e-mail services provided, owned, or funded in part or in whole by the University.

   2. All Users and account holders of the University e-mail systems or accounts, regardless of intended use.

3. Definitions

   Underscored terms shall have the meaning ascribed to them herein, and shall have the same meaning when used in the singular or plural form or any appropriate tense.

   Controlled Unclassified Information (CUI): Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. CUI includes Personally Identifiable Information (PII).

   Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty

   Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the computer or device connected to the network.

   Personally Identifiable Information (PII): An individual's first name and last name, personal mark, or unique biometric or genetic print or image, in combination with one or more of the following data elements:

   1. A social security number;

   2. A driver's license number, state identification card number, or other individual identification number issued by a state government unit;

   3. A passport number or other identification number issued by the United States government;

   4. An Individual Taxpayer Identification Number; or

   5. A financial or other account number, a credit card number, or a debit card number that, in combination with any required security code, access code, or password, would permit access to an individual's account.

   User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.

4. Specific Use of Electronic Mail

   1. E-mail services are extended for the sole use of University faculty, staff, students, and other authorized users to accomplish tasks related to and consistent with the University's mission. Any e-mail address or account assigned by the University to individuals, sub-units, or functions of the University is the property of the University.

   2. E-mail users are required to comply with state and federal laws, University policies, and normal standards of professional and personal courtesy and conduct. Access to University e-mail services is a privilege that may be wholly or partially restricted by the University without prior notice and without the consent of the e-mail user: (a) when required by and consistent with applicable law or policy; (b) when there is a reasonable suspicion that violations of policy or law have occurred or may occur; or (c) when required to meet time-dependent, critical operational needs.

   3. When a User's affiliation with the University ends, the University may attempt to redirect an e-mail to another internal University email address for a reasonable period of time as determined by the University for purposes consistent with this policy and the University's mission. The University may elect to terminate the individual's e-mail account or continue the account, subject to approval by appropriate University supervisory and systems operational authority.

   4. Email that contains Personally Identifiable Information (PII) or Controlled Unclassified Information (CUI) is only permissible for valid business reasons and appropriate security controls such as email encryption must be taken.

   5. Manual or Auto-forwarding UMGC specific email from a University managed email system to an external email system is prohibited unless properly authorized by University department leadership.

   6. Users are required to comply with University requests for access to and copies of e-mail records when access or disclosure is required or allowed by applicable law or policy, regardless of whether such records reside on a computer housed or owned by the University.

   7. Using e-mail for illegal activities is strictly prohibited. Illegal use may include, but is not limited to obscenity; child pornography; threats; harassment; theft; attempting unauthorized access to data or attempting to breach any security measures on any electronic communications system; attempting to intercept any electronic communication transmissions without proper authority; and violation of copyright, trademark, or defamation law.

   8. University e-mail services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, strain on any computing facilities or interference with others' use of e-mail or e-mail systems. Such uses include, but are not limited to, the use of e-mail services to:

      1. Send or forward chain letters.

      2. "Spam"; that is, to exploit listservs or similar systems for the widespread distribution of unsolicited mail.

      3. "Letter-bomb"; that is, to resend the same e-mail repeatedly to one or more recipients.

   9. University e-mail services may be used for incidental personal purposes provided that such use does not:

      1. Directly or indirectly interfere with the University operation of computing facilities or e-mail services.

      2. Interfere with the e-mail user's employment or other obligations to the University.

      3. Violate this policy, or any other applicable policy or law, including but not limited to, use for personal gain, conflict of interest, harassment, defamation, copyright violation, or illegal activities.

   10. E-mail messages arising from such personal use shall, however, be subject to access consistent with this policy or applicable law. Accordingly, such use does not carry with it a reasonable expectation of privacy.

   11. The confidentiality of e-mail cannot be assured, and any confidentiality may be compromised by access consistent with applicable law or policy, including this policy, by unintended redistribution, or due to current technologies inadequate to protect against unauthorized access. Users, therefore, should exercise extreme caution in using e-mail to communicate confidential or sensitive matters, and should not assume that their e-mail is private or confidential.

   12. Users are responsible for safeguarding their login credential (UserID) and password, and for using them only as authorized. Each user is responsible for all e-mail transactions made under the authorization of his or her UserID.

5. Exceptions

   Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

6. Enforcement

   1. Use e-mail in accordance with UMGC Acceptable Use Policy. Failure to adhere to this policy subjects you to the enforcement as outlined in the policy.

   2. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this policy should notify the VP of Information Security as soon as practicable.

7. Related Policies

   UMGC X-1.02 Data Classification
   UMGC X-1.04 Information Security
   UMGC X-1.10 Identity and Access Management
   UMGC X-1.12 Acceptable Use

8. Effective Date

   This policy is effective as of the date set forth above.