Information Security Standard Practices
Acceptable Use Agreement — Electronic Mail Security Disclosures
The purpose of this document is to establish a position on privacy, confidentiality, and security in electronic mail; ensure that College electronic mail resources are used for purposes appropriate to the College mission; inform the College community about the applicability of laws and College policies to electronic mail; ensure that electronic mail resources are used in compliance with those laws and College policies; and prevent disruptions to and misuse of College electronic mail resources, services, and activities.
2.0 College Property
As a productivity enhancement tool, Mt. San Antonio College encourages the use of electronic mail to further the mission of the College. All messages generated on or handled by Mt. SAC electronic mail systems are considered to be the property of Mt. San Antonio College.
3.0 Authorized Usage
Mt. San Antonio College electronic mail generally should be used only for College activities. Incidental personal use is permissible so long as:
- (a) it does not consume more than a trivial amount of system resources
- (b) it does not interfere with productivity, and
- (c) it does not preempt any College activity.
This means that Mt. San Antonio College electronic mail systems must not be used for political advocacy efforts, private business activities, or non-College related charitable fundraising campaigns. Employees are reminded that the use of College information system resources should never create either the appearance or the reality of inappropriate use. When an individual ceases to be employeed at Mt. San Antonio College, all their accounts and privileges on Mt. San Antonio College electronic mail systems will also terminate. Electronic mail will not be forwarded to the employees personnal account nor will it be forwarded to another employee of the college.
4.0 Use Only Mt. SAC Electronic Mail Systems
All college related email communications must be conducted using an email address assigned by the College. This restriction is necessary because email originating at the college may contain proprietary information regarding students, staff, or internal College business. The College is responsible for the security of this information, and cannot assume that other email providers will provide adequate levels of data backup, security, and virus protection. Therefore, forwarding of email from a Mt. San Antonio College email address to a non Mt. San Antonio College email address is not authorized or allowed. Additionally, users may not configure any email program or service to use an automated process for forwarding Mt. San Antonio College email to any other email address.
Employees must not use their personal electronic mail accounts with an Internet Service Provider (ISP) or any other third party provider while using Mt. San Antonio College computers. To do so would circumvent logging, anti-virus scanning controls, and backup controls that Mt. San Antonio College has established.
5.0 User Accountability
Regardless of the circumstances, individual passwords must never be shared or revealed. The authorized user of the account is responsible for all transactions conducted within that account. When a password is provided to and/or used by another person, the authorized user will be held accountable for any activity that takes place while the account is in use.
IET staff is able to research account information and investigate reported problems without knowing the user's password, and therefore will not request password information from a user.
If users need to share computer resident data, they should utilize message forwarding facilities, public directories on local area network servers, groupware databases, and other authorized information-sharing mechanisms. To prevent unauthorized parties from obtaining access to electronic mail, users must choose passwords that are difficult-to-guess (for example, not a dictionary word, not a personal detail, not a name, and not a reflection of work activities).
6.0 User Identity
Misrepresenting, obscuring, suppressing, or replacing another user's identity on an electronic mail system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with electronic messages or postings must reflect the actual originator of the messages or postings. Electronic mail "signatures" indicating job title, company affiliation, address, and other particulars are strongly recommended for all electronic mail messages being sent to non-College entities.
7.0 Use Of Encryption Programs
Employees are reminded that Mt. San Antonio College electronic mail is not encrypted by default. If sensitive information must be sent by electronic mail, encryption or similar technologies to protect the information must be employed. The IET Help Desk is available to assist with the installation and configuration of software to protect data transmission.
8.0 Respecting Intellectual Property Rights
Although the Internet is an informal communications environment, the laws for copyrights, patents, trademarks, and the like still apply. To this end, employees using Mt. San Antonio College electronic mail systems must: (a) repost or reproduce material only after obtaining permission from the source, (b) quote material from other sources only if these other sources are properly identified, and (c) reveal internal Mt. San Antonio College information on the Internet only if the information has been officially approved for public release. As an aside, all information taken off the Internet should be considered suspect until confirmed by another source. There is no quality control process on the Internet, and a considerable amount of Internet information is outdated, inaccurate, and/or deliberately misleading.
9.0 No Guaranteed Message Privacy
Mt. San Antonio College cannot guarantee that electronic mail will be private. Employees should be aware that electronic mail can, depending on the technology, be forwarded, intercepted, printed, and stored by others. Employees should be careful about the topics covered in Mt. San Antonio College electronic mail, and should not send a message discussing anything that they would not be comfortable reading about on the front page of their local newspaper. Except as otherwise specifically approved by management, employees may not participate in intercepting or disclosing electronic mail. Mt. San Antonio College is committed to respecting the rights of its employees, including their reasonable expectation of privacy. Mt. San Antonio College also is responsible for operating, maintaining, and protecting its electronic mail networks. To accomplish these objectives, it is occasionally necessary to intercept or disclose, or assist in intercepting or disclosing, electronic mail. To meet these objectives Mt. San Antonio College may employ content monitoring systems (which scan for certain key words) as well as other electronic system management tools.
10.0 Anti Virus Software
Unexpected attachments should be viewed with suspicion. Even if the sendor is known and trusted, viruses may still cause an infected attachment to be sent without the knowledge of the trusted sendor. Employees must comply with Mt. SAC anti-virus policies as stated in the Acceptable Use Rules, Procedures and Regulations.
11.0 Message Forwarding
Recognizing that some information is intended for specific individuals and may not be appropriate for general distribution, electronic mail users should exercise caution when forwarding messages. Sensitive information must not be forwarded to any party or parties outside Mt. San Antonio College without the prior approval of a department manager. Messages sent by outside parties should also not be forwarded to other third parties unless the sender clearly intended this and unless such forwarding is necessary to accomplish an ordinary business objective.
12.0 User Back-Up
If an electronic mail message contains information relevant to the completion of a business transaction, contains potentially important reference information, or has value as evidence of a Mt. San Antonio College management decision, it should be retained for future reference. Most electronic mail messages will not fall into these categories, and accordingly can be erased after viewing. Users must regularly move important information from electronic mail message files to hard-copy, word processing documents, databases, and other files. Electronic mail systems are not intended for the archival storage of important information. Important but old electronic mail messages can be periodically expunged by systems administrators, mistakenly erased by users, and otherwise lost when system problems occur. The IET Help Desk is available to assist with the installation and configuration of archival software.
13.0 Purging Electronic Messages
Messages no longer needed for business purposes must be periodically purged by users from their personal electronic message storage areas. Electronic mail messages stored on Mt. San Antonio College mail servers may be automatically deleted by systems administration staff. Mail quotas may be used to limit storage space.
14.0 Handling Alerts About Security
Users must report all information security alerts, warnings, and reported vulnerabilities to firstname.lastname@example.org as soon as possible. Information & Educational Technology is the only organizational unit authorized to determine appropriate action in response to such notices. Users are discouraged from forwarding these notices to other users as many of these notices are hoaxes.
If employees are bothered by an excessive amount of spam from a particular organization or electronic mail address, they must not respond directly to the sender. Instead, they must forward samples of the messages to email@example.com and the Systems Administrator will then take the matter up with the sender's Internet Service Provider (ISP). Employees should not create or forward spam including chain letters, advertisements, etc.
Recipients of electronic mail messages of a threating nature, including coercion, threats, hate mail, etc. should reply directly to the originator with a specific statement directing the sender to discontinue. If the originator does not promptly stop, employees must report the communications to firstname.lastname@example.org. Mt. San Antonio College retains the right to remove from its information systems any material it views as offensive or potentially illegal.