��������

Purpose

The purpose of this Policy is to establish Information Security standards and related University Policies for e-mail use and e-mail processes relevant to University Information Technology Resources.

Scope and Applicability

This Policy applies to:

1. All e-mail services provided, owned, or funded in part or in whole by the University.
2. All Users and Account holders of the University e-mail systems or accounts, regardless of intended use.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. E-mail services are extended for the sole use of University faculty, staff, students, and other authorized users to accomplish tasks related to and consistent with the University's mission. Any e-mail address or account assigned by the University to individuals, sub-units, or functions of the University is the property of the University.
2. E-mail users are required to comply with state and federal laws, University policies, and normal standards of professional and personal courtesy and conduct. Access to University e-mail services is a privilege that may be wholly or partially restricted by the University without prior notice and without the consent of the e-mail user: (a) when required by and consistent with applicable law or policy; (b) when there is a reasonable suspicion that violations of policy or law have occurred or may occur; or (c) when required to meet time-dependent, critical operational needs.
3. When a User's affiliation with the University ends, the University may attempt to redirect an e-mail to another internal University e-mail address for a reasonable period of time as determined by the University for purposes consistent with this policy and the University's mission. The University may elect to terminate the individual's e-mail account or continue the account, subject to approval by appropriate University supervisory and systems operational authority.
4. E-mail that contains Personally Identifiable Information (PII) or Controlled Unclassified Information (CUI) is only permissible for valid business reasons and appropriate security controls such as e-mail encryption must be taken.
5. Manual or Auto-forwarding UMGC specific e-mail from a University managed e-mail system to an external e-mail system is prohibited unless properly authorized by University department leadership.
6. Users are required to comply with University requests for access to and copies of e-mail records when access or disclosure is required or allowed by applicable law or policy, regardless of whether such records reside on a computer housed or owned by the University.
7. Using e-mail for illegal activities is strictly prohibited. Illegal use may include, but is not limited to obscenity; child pornography; threats; harassment; theft; attempting unauthorized access to data or attempting to breach any security measures on any electronic communications system; attempting to intercept any electronic communication transmissions without proper authority; and violation of copyright, trademark, or defamation law.
8. University e-mail services shall not be used for purposes that could reasonably be expected to cause, directly or indirectly, strain on any computing facilities or interference with others' use of e-mail or e-mail systems. Such uses include, but are not limited to, the use of e-mail services to:
   1. Send or forward chain letters.
   2. "Spam"; that is, to exploit listservs or similar systems for the widespread distribution of unsolicited mail.
   3. "Letter-bomb"; that is, to resend the same e-mail repeatedly to one or more recipients.
9. University e-mail services may be used for incidental personal purposes provided that such use does not:
   1. Directly or indirectly interfere with the University operation of computing facilities or e-mail services.
   2. Interfere with the e-mail user's employment or other obligations to the University.
   3. Violate this Policy, or any other applicable policy or law, including but not limited to, use for personal gain, conflict of interest, harassment, defamation, copyright violation, or illegal activities.
10. E-mail messages arising from such personal use shall, however, be subject to access consistent with this policy or applicable law. Accordingly, such use does not carry with it a reasonable expectation of privacy.
11. The Confidentiality of e-mail cannot be assured, and any Confidentiality may be compromised by access consistent with applicable law or policy, including this Policy, by unintended redistribution, or due to current technologies inadequate to protect against unauthorized access. Users, therefore, should exercise extreme caution in using e-mail to communicate confidential or sensitive matters, and should not assume that their e-mail is private or Confidential.
12. Users are responsible for safeguarding their login credential (UserID) and password, and for using them only as authorized. Users are responsible for all e-mail transactions made under the authorization of their UserID.

Exceptions

Exceptions to this Policy should be submitted to Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

1. Use e-mail in accordance with UMGC Policy X-1.12 Acceptable Use. Failure to adhere to this Policy subjects you to the enforcement as outlined in the Policy.
2. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy should notify Information Security as soon as practicable.

1. Most recent versions:
   1. USM IT Security Standards
   2. NIST SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
   3. Cybersecurity Maturity Model Certification (CMMC)

1. UMGC X-1.02 Data Classification
2. UMGC X-1.04 Information Security
3. UMGC X-1.10 Identity and Access Management
4. UMGC X-1.12 Acceptable Use