7.20.02 E-mail System Acceptable Use and Security |
 Printable Version |
Approved on: 08/04/2004
By: Administrative Council
Effective Date: 08/04/2004
Policy Summary
Electronic messaging (e-mail) is an essential and enabling application that facilitates the flow of information within the university and with external correspondents. Electronic messaging systems will be managed and protected across the university in accordance with common standards and procedures.
Applicability/Eligibility
Faculty
Staff
Students
Administration of Policy
Mandating Authority:
Administrative Council
Responsible Office(s):
Information Systems and Technology, 13th floor, Commerce Building, 3-4357
Responsible Executive(s): AP for Information Systems and Technology
| Position Title | Campus Location | Phone Number and/or E-mail Address |
|---|---|---|
| AP for IS&T | 13th Floor, Commerce Bldg. | 404-413-4357 |
Full Policy Text
Electronic messaging (e-mail) is an essential and enabling application that facilitates the flow of information within the university and with external correspondents. Electronic messaging systems will be managed and protected across the university in accordance with common standards and procedures.
Rationale or Purpose
The university depends on the availability and responsiveness of e-mail for the normal conduct of university business. The widespread acceptance of e-mail both within the university and as a part of our personal lives as a means of rapid communication and dissemination of information has lead to the availability of a wide variety of consumer and enterprise applications and services. These applications and systems can be purchased and installed often without regard for the necessary ongoing administrative support needed to maintain system integrity and the security or confidentiality of the information conveyed by the system. For the conduct of university business using e-mail, efficiency of operation and maintenance of security can best be achieved by limiting the number of e-mail systems serving the university and by using only enterprise-class systems to supply email accounts.
Indiscriminate mass e-mailing to the university community can quickly tax the capabilities of the processing systems to deliver other messages that may be critical. Additionally, the receipt by university users of excessive numbers of mass e-mailing messages is a work-place irritant and does not promote the efficient use of information systems or human resources.
E-mail does not include instant messaging (IM) capabilities.
Policy History
None
Cross References
None
Additional Information
Standards
Attachment Type Limitations E-mail attachments received on campus will be filtered to exclude specific filename extensions (e.g. .exe, .com), if the extension is determined to be a security threat by the University Information Security Officer.
Conveyance of Confidential or Sensitive Information Users of all e-mail systems must be aware that information originated in or received through e-mail messages is probably not encrypted and should not be considered as confidential or unaltered. Unencrypted e-mail will not be used for the conveyance of personal or sensitive information (see Sensitive Information Protection Policy).
E-mail Broadcasts Use of the centrally-managed e-mail systems of the university for mass distribution of mailings will be governed by the criticality of the content of mailings as follows:
Critical Messages: Critical messages that need to be distributed to all university employees must be approved by the president, the provost, a vice president or the director of university relations prior to submission for distribution. Critical messages intended for students must be approved by the Vice President for Student Services prior to distribution. Critical messages are categorized as either time-sensitive or non-time-sensitive.
Informational Mailing Lists: Users of e-mail systems at Georgia State University are not permitted to arbitrarily send messages to all, or nearly all, of the system users. Instead, informational mailing lists have been created and are designed to reach targeted audiences. Individuals may selectively join any, or all, of these mailing lists. Mailings to each list are distributed on a nightly basis.
Production Messages: Messages to be generated by a production application, and sent on a schedule to a specific population, require a one-time advance approval by the president, the provost, or a vice president.
E-mail Relay: All university hosted e-mail systems will be configured to prevent use by third parties as e-mail relay platforms.
E-mail Systems: University Computing and Communications Services (UCCS) will operate centrally managed e-mail systems for the university to support the needs of faculty, staff and students (and retirees as resources permit). Departments wishing to continue to operate existing or new systems for business, academic or research purposes must notify UCCS of their use and indicate on-going compliance with all standards in the policy. E-mail systems in compliance with this policy will be permitted to send and receive Simple Mail Transfer Protocol (SMTP) traffic to and from the Internet. All other devices would be blocked for SMTP traffic at the campus Internet router.
Encryption of Web-based Access: Client-read access to e-mail must utilize a minimum of 56-bit encryption for authentication to protect account passwords. Web clients may use a secure web server utilizing the HTTPS and SSL protocols. POP and IMAP clients may use secure POP or IMAP protocols with SSL connections. Clients with direct Linux or Unix shell client software may use a secure encrypted protocol such as SSH to login to the server.
Passwords: Strong password guidelines as published in the Minimum Information Security Environment Policy (Create or Change a Password) will be utilized on all university-hosted e-mail systems.
Patch Management: E-mail servers must be updated with new security patches for both the operating system and mail server applications as those patches are released by vendors. UCCS is responsible for patching the centrally managed email systems. Departments are responsible for patching additional systems that have been approved under the standard above.
Virus Detection and Removal: Active anti-virus detection and quarantine clients will be installed on all email servers. Where possible, these anti-virus applications will be configured for automatic update of virus signatures. Additionally, anti-virus gateways will be utilized to scan inbound and outbound messages.
Please contact the Responsible Office for information on Procedures.
Additional Helpful Resources
Procedures Document Initial and On-Going Compliance of E-mail Servers Distribute a Critical Time-Sensitive ("Send Now") System-Wide E-mail Message Distribute a Critical Non-Time-Sensitive ("Send Next Day") System-Wide E-mail Message Subscribe to (Join) a University Mailing List Send a Message to a University Mailing List Unsubscribe to (Quit) a University Mailing List View University Mailing List Messages Posted on the Web Distribute a Production Message
Procedures
None