Re: Policy language around email and other forms of "official electronic communication" platforms

["Martinez, Brian" <brm () MSU EDU>]

Jim,

My two cents: while email may be the "official electronic communication platform" I would tend to stay away from PII 
being used within it, whether internal or not. Worst case, assuming you have access to such tools (I think it's 
built-in at all level of 365(?)), utilize the #encrypt feature in the subject line to encrypt sensitive data. Best 
case, you find some other more secure medium to act as an intermediary for sending/receiving such data.

I'd consider Teams within the same realm as email. The whole idea behind Slack, originally, was to be an "email 
replacement." I feel Microsoft really made better progress towards that than Slack did given how heavily Teams ties 
into the [collaborative] 365 environment. And, of course, during this pandemic, Teams usage has become pervasive. While 
certainly a separate product from Outlook/Exchange, it is likely assessed similarly (by which I mean the answers on a 
HECVAT from the Microsoft Teams team would likely be nearly the same answers provided by the Microsoft Mail team). I 
would think Zoom, Blackboard, and any other products in which you can message should be encompassed in the policy as 
well, but I would absolutely not send anything PII through them and it sounds like your policy would already address 
that. Shorter answer here: Yes, definitely include other forms of electronic communication in said policy.

Regards,

Brian R. Martinez
Information Security
Michigan State University
Office: +1-517-884-8791
brm () msu edu<mailto:brm () msu edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bole, Jim A
Sent: Friday, January 22, 2021 11:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Policy language around email and other forms of "official electronic communication" platforms

We're working on an email policy that is mostly focused on making sure everyone knows email is the main official method 
of communication. There are sections about no expectation of privacy, every has to read their emails, etc.

There is a section on using email for sensitive data. We do have a simple data classification standard, but we don't 
have clearly defined rules for when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc).

I think there should be a distinction between emails sent internally vs externally. We're an O365 shop and my 
understanding is that email (and other data such as OneDrive, Teams) within our tenant meets basic encryption 
requirements for both in-transit and at-rest conditions (outside of the issue of Microsoft having the keys/certs). 
External email is a qualified "maybe" with some services negotiation secure transport while others don't. So we can't 
guarantee the security/encryption.

I'm curious if others agree with this.

I'm also looking at added sections for bulk mail, relaying and forwarding.

And, I wonder if it makes sense to expand the policy to include other forms of `'official electronic communication." Is 
Teams the same as email? What about chat in Blackboard or Zoom? While these may not be used to communicate official 
university announcements, they are used by student and employees to conduct sanctioned university operations. So for 
that there should be similar rules about no privacy, sensitive information, inappropriate use, etc. I'm torn on this 
aspect, so I'd be interested in feedback.

Any other suggestions or examples of good policies appreciated.


Jim Bole
Chief Information Security Officer
Information Technology Services
University at Albany



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://urldefense.com/v3/__https:/www.educause.edu/community__;!!HXCxUKc!iOmUgagRsdy4F9Gu_QcjBRylUqOUtLA7jrtZyNQw-0PYS_yOmWiX4fRvd5k$>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community