Policies & Regulations

Similar documents
POLICIES AND PROCEDURES

University Policies and Procedures ELECTRONIC MAIL POLICY

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY

SUBJECT: Effective Date: Policy Number: Florida Public Records Act: Scope and

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. ELECTRONIC MEDIA AND USE POLICY A-50 1 of 9

Cleveland State University General Policy for University Information and Technology Resources

UTAH VALLEY UNIVERSITY Policies and Procedures

UNIVERSITY OF HOUSTON SYSTEM ADMINISTRATIVE MEMORANDUM. SECTION: Information Technology NUMBER: 07.A.07

CARROLL COUNTY PUBLIC SCHOOLS ADMINISTRATIVE REGULATIONS BOARD POLICY EHB: DATA/RECORDS RETENTION. I. Purpose

Southington Public Schools

Florida Supervisor of Elections Conference May 22, 2018 Patricia R. Gleason Special Counsel for Open Government Attorney General Pam Bondi

Acceptable Use Policy

UTAH VALLEY UNIVERSITY Policies and Procedures

Subject: University Information Technology Resource Security Policy: OUTDATED

Records Retention Policy

Records Management and Retention

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Supersedes Policy previously approved by TBM

ELECTRONIC MAIL POLICY

POLICY TITLE: Record Retention and Destruction POLICY NO: 277 PAGE 1 of 6

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Virginia Commonwealth University School of Medicine Information Security Standard

RMU-IT-SEC-01 Acceptable Use Policy

WHEATON COLLEGE RETENTION POLICY May 16, 2013

Responsible Officer Approved by

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

RECORDS AND INFORMATION MANAGEMENT AND RETENTION

ACCEPTABLE USE OF HCHD INTERNET AND SYSTEM

Acceptable Use Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Computer, Communication, and Network Technology Acceptable Use

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

Ashford Board of Education Ashford, Connecticut POLICY REGARDING RETENTION OF ELECTRONIC RECORDS AND INFORMATION

Violations of any portion of this policy may be subject to disciplinary action up to and including termination of employment.

8/28/2017. What Is a Federal Record? What is Records Management?

Security Awareness, Training, And Education Plan

5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.

Southern Adventist University Information Security Policy. Version 1 Revised Apr

Red Flags Program. Purpose

13. Acceptable Use Policy

Information Privacy Statement

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

The University of British Columbia Board of Governors

II.C.4. Policy: Southeastern Technical College Computer Use

Cyber Security Program

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

Freedom of Information and Protection of Privacy (FOIPOP)

Herkimer County Community College. Department of Information Services Computer Use Policy and Guidelines

SPRING-FORD AREA SCHOOL DISTRICT

TITLE SOCIAL MEDIA AND COLLABORATION POLICY

Acceptable Use Policy

Information Security Incident Response and Reporting

19 Dec The forwarding and returning obligation does not concern messages containing malware or spam.

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

Retention & Archiving Policy

POLICY 8200 NETWORK SECURITY

Access Control Policy

This regulation outlines the policy and procedures for the implementation of wireless networking for the University Campus.

Cellular Site Simulator Usage and Privacy

LifeWays Operating Procedures

Draft. Policies of Colorado State University University Policy. Category: Information Technology

Wireless Communication Device Policy Policy No September 2, Standard. Practice

IEEE Electronic Mail Policy

Lakeshore Technical College Official Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

NASD NOTICE TO MEMBERS 97-58

Employee Security Awareness Training Program

Shaw Privacy Policy. 1- Our commitment to you

CUNY Graduate Center Information Technology. IT User Account Management Last Updated: May 25, 2017

The University of Tennessee. Information Technology Policy (ITP) Preamble

RECORD RETENTION POLICY

POLICY Board of Trustees - Montgomery College 66004

DIRECTIVE ON RECORDS AND INFORMATION MANAGEMENT (RIM) January 12, 2018

Frequently Asked Questions Related to The Arkansas General Records Retention Schedule

Information Security Data Classification Procedure

University of North Texas System Administration Identity Theft Prevention Program

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

Checklist: Credit Union Information Security and Privacy Policies

Identity Theft Prevention Policy

UCL Policy on Electronic Mail ( )

BERKELEY COLLEGE Social Media Policy

Acceptable Use Policy

Information technology security and system integrity policy.

GENERAL PRIVACY POLICY

LOYOLA UNIVERSITY MARYLAND. Policy and Guidelines for Messaging to Groups

Security and Privacy Breach Notification

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Farmingdale State College Records Management Training PRESENTED BY DOROTHY HUGHES INTERNAL CONTROL OFFICER AND RECORDS MANAGEMENT OFFICER

Terms and Conditions between Easy Time Clock, Inc. And Easy Time Clock Client

Website Privacy Policy

Policy Summary: This guidance outlines ACAOM s policy and procedures for managing documents. Table of Contents

Information Security Incident Response Plan

CUNY Graduate Center Information Technology. IT Policies & Procedures Last Updated: May 12, 2017

1. Right of access. Last Approval Date: May 2018

IT ACCEPTABLE USE POLICY

4.2 Electronic Mail Policy

Transcription:

Policies & Regulations Email Policy Number Effective Revised Review Responsible Division/Department: Administration and Finance / Office of the CIO/ Information Technology Services (ITS) New Policy Major Revision of Existing Policy Minor/Technical Revision of Existing Policy Reaffirmation of Existing Policy I. OBJECTIVE & PURPOSE This policy applies to all persons and entities that are provided an account in the University s electronic mail systems (i.e., Office 365 or UNF-hosted email). II. STATEMENT OF POLICY Email is a key communication resource provided by the University for the benefit and use of its employees, students, and authorized others. All email users have the responsibility to use their University-provided email account in an ethical and lawful manner. UNF utilizes two enterprise email solutions: a hosted solution for faculty and staff members for University business use and a separate cloud-based instance for students (O365 or Ospreys Mail). A copy of this policy shall be provided to all employees at the beginning of their employment at UNF. Any violation of this policy and procedures may result in disciplinary action, including but not limited to the loss of email privileges. III. DEFINITIONS Copy of Record - By generally accepted practice, the sender s copy of a document is designated as the copy of record. It is this copy to which the record retention requirements apply. All other copies are regarded as duplicates, and they may be disposed of when they have lost administrative value. However, email messages received from outside agencies or from the public are regarded as copies of record, and if their content qualifies them as public records, they must be retained. Additionally, administrative approvals received from within the UNF community are considered the copy of record. Deleted account - An email account that has been purged from University email systems. Disabled account - Email account status that prevents the user of the account from accessing it. This account status can be changed by UNF email administrators or IT Security. Employee - A person who has been officially hired by UNF and has an employee record in the Banner HR system. 1

Enterprise Resource Planning System (ERP) - Banner Student Administration, Human Resources (HR), or Financials systems: ERP is the authoritative source of information on Student, HR and Financials data, and identity data on all persons and entities affiliated with UNF. Expired account - Email account status that prevents incoming email from being accepted. This account status can be changed by UNF IT email administrators or the IT Security Office. Ospreys Email - UNF s student email system, supported by a distinct instance of Office 365. Students and current employees may obtain an account at no cost for personal use. Ospreys email is the official communication channel for messages from University offices to students. Non-Employee - A person affiliated with, but not officially employed by UNF. Office 365 (O365) - An email service offered by Microsoft Corporation. Office 365 is the email platform supporting UNF s enterprise email service and also Ospreys Email for students. Phishing - An attempt to acquire sensitive information such as usernames, passwords, and credit card numbers, often for malicious purposes, through electronic communications, such as email or text messages. Pre-Employment - The status of a person who has accepted employment at UNF, and is provisioned in the ERP system, but whose official start date has not occurred. Public Records - All documents, papers, letters, maps, books, tapes, photographs, films, sound recordings, data processing software, or other material, regardless of physical form, or characteristics, or means of transmission, made or received pursuant to law or ordinance or in connection with the transaction of official business by any agency which are used to perpetuate, communicate, or formalize knowledge. Retiree - An individual who has completed all steps necessary to retire from the University and is officially listed in the ERP system as a Retiree. Spam - Unsolicited and undesired electronic messages containing advertisements for products or services. Sponsored Account - A computer or email account created for individuals that do not fit standard employee or student roles, such as consultants, contractors, guests, courtesy appointees, etc. Student - A person who has been admitted into full-time, part-time, or transient student status and who has a student record in the Banner ERP system. Transitory Email Messages with short-lived or no administrative value. These include phone messages, meeting requests or other messages that become obsolete. University Business - In the context of this policy, electronic mail messages that a person covered by this policy may send or receive in the conduct of their University responsibilities. IV. GENERAL POLICY Email Data Ownership The University owns all University email accounts in all Microsoft Office 365 instances. The content in the faculty and staff O365 instance is owned by the University. University business must be conducted using the Microsoft Office 365 faculty and staff instance. The student Ospreys email system is for personal use, and therefore the content is personally owned. All email content in O365 instances is subject to copyright and other intellectual property rights under applicable laws and University policies. Email Privacy and Right of University Access 2

The University will make every attempt to keep email messages secure; however, privacy is not guaranteed and users should have no general expectation of privacy in email messages sent through University email accounts. Under certain circumstances, it may be necessary for University IT staff or other authorized University officials to access University email accounts. These circumstances may include, but are not limited to, maintaining the system, investigating security or abuse incidents or investigating violations of this or other University policies; and, in the case of Microsoft Office 365 Accounts, violations of Microsoft s Acceptable Use Policy or the University s contracts with Microsoft. University IT staff or University officials may also require access to a University email account in order to continue University business where the University email account holder can no longer access the University email account for any reason (such as death, disability, illness, or separation from the University.) Such access will be on an as-needed basis and any email accessed will only be disclosed to individuals who have been properly authorized and have an appropriate need to know or as required by law. The University may access the contents of email accounts for purposes of e- discovery, or officially sanctioned investigations. All email users are bound by the appropriate acceptable use policies of both the University and Microsoft. A listing of policies related to new hires is contained on the Human Resources website. Data Retention and Purging Email messages held in the O365 accounts for faculty and staff are subject to the University s storage and email retention policies. O365 mailboxes are set to a maximum storage size of one hundred gigabytes. Once the storage capacity has been reached, email must be archived or deleted by the account holder to get below the storage threshold. Email Record Retention All documents and other written materials that are made or received pursuant to law or that are made or received in the transaction of official University business are public records, which, regardless of form, must be retained and made available for public inspection upon request, unless a statutory exemption applies. Electronic mail messages qualify as public records if they meet these criteria. Each employee is responsible for ensuring that the employee s email is managed in compliance with the public records law, including retention requirements. Note that not all email needs to be retained. For example, both duplicates and master copies of all transitory messages may be disposed of when they are obsolete, superseded, or have lost their administrative value. Emails or instant messages must be retained by employees when: 1) those who have actual knowledge of matters in which it can be reasonably anticipated that a court action will be filed, 2) a subpoena has been served or notice of same has been given, 3) records are sought pursuant to an audit or similar pending or possible investigation, and 4) public records retention is required by Florida statutes or federal agencies. Retention periods for official records, including those in email form, can be found in the University's general records schedule. This is available from the Records Management Office (904-620-2779). It incorporates items from the General Records Schedule for State and Local Government Records (GS1), the University and/or Community College Records (GS5), and other University of North Florida retention schedules. Administrative offices are required each year to file records disposition requests with the Records Management Office for obsolete public records that they wish to destroy The record retention periods found in the records retention schedules are minimum retention periods. In practice, records may be retained longer than these minimum periods to accommodate one or more of the following: audit schedules, other retention requirements under law or accreditation standards, grant requirements, records disposition procedures, and, if applicable, pending litigation or records requests. RELATED INFORMATION Email archiving assistance: https://www.unf.edu/its/e-mail/outlook_archiving.aspx General records retention schedule for colleges and universities: http://dlis.dos.state.fl.us/barm/genschedules/gs05.pdf Florida Public Records Act: Chapter 119, Florida Statutes: 3

http://www.flsenate.gov/laws/statutes/2012 Appropriate Use and User Responsibility Restricted data, as defined by policy 6.022P Data Classification & Security, must not be stored or transmitted within the University email system unless the data is encrypted. Internal Use and Public data may be transmitted or stored within the University email system without data encryption. Sending restricted data from the University email systems to a non-university email system without data encryption is prohibited. Refer to the University policy 6.022P Data Classification & Security for further definitions and information on protecting data. Please refer to UNF policy 6.0100P, Email Distribution, for the University s requirements on mass email communications. Each individual is responsible for their account, including the safeguarding of access to the account. All email originating from an account is assumed to have been authored by the account holder, and it is the responsibility of that holder to ensure compliance with this policy. The sharing of passwords is strictly prohibited. All incoming email is scanned for malware and spam. Suspected messages are blocked from the user s inbox. Due to the complex nature of email, it is not possible to guarantee protection against all spam or malware, nor is it possible to prevent blocking of certain legitimate messages. It is therefore incumbent on each individual to use proper care to prevent the spread of malware. In many cases, messages containing or pointing to malware or phishing content appear to be sent from a friend, coworker, or other legitimate sources. Users should not click on links in an email message or open attachments unless the user is certain of the nature of the message and the sender. Suspicious emails should be forwarded as an attachment to ITSecurity@UNF.edu where they can be investigated. Personal Email Accounts / Email Forwarding To avoid confusing official University business with personal communications, and to adhere to Florida public records laws, employees must not use non-university email accounts (e.g., personal Hotmail, Yahoo, or Gmail accounts) to conduct University business. Forwarding University business related email to a non-university personal email account is not permitted in order to prevent potentially sensitive University information from being sent to external, non-secure email systems. Forwarding rules will be not allowed from the faculty and staff email instance. Student email is exempted from this provision and will be allowed to set up email forwarding. V. PROCEDURES Email Account Creation Employees Upon completion of the hiring or pre-employment process, and when an employee record is created in the Human Resources system, each employee has an email account created, with a default email address applied. Faculty and staff can establish an alternate, or alias, account name by using the self-service process in the online portal. Students Once student applicants are matriculated, the student Ospreys Email account is created. When a student is employed by the University (e.g., part-time employment, GTA, etc.), a separate email account will be created in the O365 faculty and staff email system for the purposes of conducting University business. Departmental & Sponsored Email Accounts Requests for shared departmental accounts require designation of an account holder who is responsible for the account as per these guidelines. The same is true for any sponsored accounts. Granting Access to Email The University may access the contents of email accounts for purposes of e-discovery, officially sanctioned or legally required investigations, or for business continuity reasons. 4

Active Employees and Students Request for access to an active employee s email account requires approval from the Office of the General Counsel or the Human Resources Director of Employee Labor Relations. Former Employee Request for access to a former employee s email account requires approval from the previous manager and approval from the dean or director of the employee s college or administrative department, plus the Office of the General Counsel or the Human Resources Director of Employee Labor Relations. Email Account De-Provisioning Notwithstanding the following procedures, University executives (e.g., president, provost, Office of the General Counsel, etc.) reserve the right to revoke email privileges for cause at any time. Faculty and Staff who leave before retirement Faculty (excepting adjuncts) and staff members who leave the University will have email privileges removed effective on their last worked day. If such separation is for cause, email privileges may be immediately revoked without notice. Upon request, automatic replies will be added to the email account to notify senders of the former employee s status and/or new contact information. An email account may also be assigned to a manager, or delegate, upon appropriate approvals. If necessary and as required by current records retention requirements, arrangements to preserve the contents of the account s mailbox must be made prior to account termination by the immediate supervisory position. For adjuncts, email accounts will be deleted at the start of the third term with no appointment to a job. Retired Faculty and Staff Faculty and staff members who have retired from the University will be permitted to obtain a new University email forwarding address on an opt-in basis. This address will be in a retirees instance (@retirees.unf.edu). Note that this is not an email account. Emeritus Faculty Emeritus faculty may retain a full email account upon designation of emeritus status, as if they were full-time faculty. Active Students and Alumni Student email accounts will only be provided during the period of time students are an active student at UNF. Currently this is set to expire at the beginning of the third term without enrollment. Prior to terminating the account, a solicitation will be sent to the student for an alternate email for use in contacting them in the future. Students have the option of downloading their data prior to deletion. Expelled Students If a student is expelled from the University, email privileges may be terminated immediately at the direction of the Vice President of Student Affairs or the Student Ombudsman. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback