Educause Security Discussion mailing list archives
Re: Policy language around email and other forms of "official electronic communication" platforms
From: "Martinez, Brian" <brm () MSU EDU>
Date: Fri, 22 Jan 2021 21:49:36 +0000
Jim, My two cents: while email may be the "official electronic communication platform" I would tend to stay away from PII being used within it, whether internal or not. Worst case, assuming you have access to such tools (I think it's built-in at all level of 365(?)), utilize the #encrypt feature in the subject line to encrypt sensitive data. Best case, you find some other more secure medium to act as an intermediary for sending/receiving such data. I'd consider Teams within the same realm as email. The whole idea behind Slack, originally, was to be an "email replacement." I feel Microsoft really made better progress towards that than Slack did given how heavily Teams ties into the [collaborative] 365 environment. And, of course, during this pandemic, Teams usage has become pervasive. While certainly a separate product from Outlook/Exchange, it is likely assessed similarly (by which I mean the answers on a HECVAT from the Microsoft Teams team would likely be nearly the same answers provided by the Microsoft Mail team). I would think Zoom, Blackboard, and any other products in which you can message should be encompassed in the policy as well, but I would absolutely not send anything PII through them and it sounds like your policy would already address that. Shorter answer here: Yes, definitely include other forms of electronic communication in said policy. Regards, Brian R. Martinez Information Security Michigan State University Office: +1-517-884-8791 brm () msu edu<mailto:brm () msu edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bole, Jim A Sent: Friday, January 22, 2021 11:54 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Policy language around email and other forms of "official electronic communication" platforms We're working on an email policy that is mostly focused on making sure everyone knows email is the main official method of communication. There are sections about no expectation of privacy, every has to read their emails, etc. There is a section on using email for sensitive data. We do have a simple data classification standard, but we don't have clearly defined rules for when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc). I think there should be a distinction between emails sent internally vs externally. We're an O365 shop and my understanding is that email (and other data such as OneDrive, Teams) within our tenant meets basic encryption requirements for both in-transit and at-rest conditions (outside of the issue of Microsoft having the keys/certs). External email is a qualified "maybe" with some services negotiation secure transport while others don't. So we can't guarantee the security/encryption. I'm curious if others agree with this. I'm also looking at added sections for bulk mail, relaying and forwarding. And, I wonder if it makes sense to expand the policy to include other forms of `'official electronic communication." Is Teams the same as email? What about chat in Blackboard or Zoom? While these may not be used to communicate official university announcements, they are used by student and employees to conduct sanctioned university operations. So for that there should be similar rules about no privacy, sensitive information, inappropriate use, etc. I'm torn on this aspect, so I'd be interested in feedback. Any other suggestions or examples of good policies appreciated. Jim Bole Chief Information Security Officer Information Technology Services University at Albany ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!HXCxUKc!iOmUgagRsdy4F9Gu_QcjBRylUqOUtLA7jrtZyNQw-0PYS_yOmWiX4fRvd5k$> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Policy language around email and other forms of "official electronic communication" platforms Bole, Jim A (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Catherine Ullman (Jan 22)
- Re: Policy language around email and other forms of "official electronic communication" platforms Martinez, Brian (Jan 22)