Educause Security Discussion mailing list archives
Policy language around email and other forms of "official electronic communication" platforms
From: "Bole, Jim A" <jbole () ALBANY EDU>
Date: Fri, 22 Jan 2021 16:54:08 +0000
We’re working on an email policy that is mostly focused on making sure everyone knows email is the main official method of communication. There are sections about no expectation of privacy, every has to read their emails, etc. There is a section on using email for sensitive data. We do have a simple data classification standard, but we don’t have clearly defined rules for when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc). I think there should be a distinction between emails sent internally vs externally. We’re an O365 shop and my understanding is that email (and other data such as OneDrive, Teams) within our tenant meets basic encryption requirements for both in-transit and at-rest conditions (outside of the issue of Microsoft having the keys/certs). External email is a qualified “maybe” with some services negotiation secure transport while others don’t. So we can’t guarantee the security/encryption. I’m curious if others agree with this. I’m also looking at added sections for bulk mail, relaying and forwarding. And, I wonder if it makes sense to expand the policy to include other forms of `’official electronic communication.” Is Teams the same as email? What about chat in Blackboard or Zoom? While these may not be used to communicate official university announcements, they are used by student and employees to conduct sanctioned university operations. So for that there should be similar rules about no privacy, sensitive information, inappropriate use, etc. I’m torn on this aspect, so I’d be interested in feedback. Any other suggestions or examples of good policies appreciated. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Policy language around email and other forms of "official electronic communication" platforms Bole, Jim A (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Catherine Ullman (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)