The
University depends on the availability and responsiveness of Email for the
normal conduct of University business. The widespread acceptance of
Email both within the University and as a part of our personal lives as a
means of rapid communication and dissemination of information has lead to the
availability of a wide variety of consumer and enterprise applications and
services. These applications and systems can be purchased and installed
often without regard for the necessary ongoing administrative support needed
to maintain system integrity and the security or confidentiality of the information
conveyed by the system. For the conduct of University business using
email, efficiency of operation and maintenance of security can best be
achieved by limiting the number of Email systems serving the University and
by using only enterprise class systems to supply email accounts.
Indiscriminate mass
emailing to the University community can quickly tax the capabilities of the
processing systems to deliver other messages that may be critical.
Additionally, the receipt by University users of excessive numbers of mass
emailing messages is a work-place irritant and does not promote the efficient
use of information system or human resources.
Email
does not include instant messaging (IM) capabilities.
Standards:
Attachment Type Limitations. Email attachments received
on campus will be filtered to exclude specific filename extensions (e.g.
.exe, .com) as may be determined to be a security threat by the University
Information Security Officer.
Conveyance of
Confidential or Sensitive Information. Users of all Email systems must be aware
that information originated in or received through email messages is probably
not encrypted and should not be considered as confidential or
unaltered. Unencrypted email will not be used for the conveyance of
personal or sensitive information (see Sensitive
Information Protection Policy).
Email Broadcasts. Use of the centrally managed Email systems of
the University for mass distribution of mailings will be governed by the
criticality of the content of mailings as follows:
Critical Messages. Critical messages that need to
be distributed to all University employees must be approved by the President,
the Provost, a Vice President, or the Director of University Relations prior
to submission for distribution. Critical messages intended for students must
be approved by the Vice President for Student Services prior to distribution.
Critical messages are categorized as either time-sensitive or non-time-sensitive.
Informational Mailing
Lists. Users of
email systems at Georgia
State University
are not permitted to arbitrarily send messages to all, or nearly all, of the
system users. Instead, Informational Mailing Lists have been created and are
designed to reach targeted audiences. Individuals may selectively join any,
or all, of these mailing lists. Mailings to each list are distributed on a
nightly basis.
Production Messages. Messages to be generated by a
production application, and sent on a schedule to a specific population,
require a one-time advance approval by the President, the Provost, or a Vice
President.
Email Relay. All University hosted
email systems will be configured to prevent use by third parties as email
relay platforms.
Email Systems. University Computing and Communications
Services (UCCS) will operate centrally managed email systems for the
University to support the needs of faculty, staff, and students (and retirees
as resources permit). Departments wishing to continue to operate
existing or new systems for business, academic or research purposes must
notify UCCS of their use and indicate on-going compliance with all standards
in the policy. Email systems in compliance with this policy will be permitted
to send and receive Simple Mail Transfer Protocol (SMTP) traffic to and from
the Internet. All other devices would
be blocked for SMTP traffic at the campus internet router.
Encryption of
Web-based Access. Client read
access to email must utilize a minimum of 56 bit encryption for
authentication to protect account passwords.
Web clients may use a secure web server utilizing the HTTPS and SSL
protocols. POP and IMAP clients may
use secure POP or IMAP protocols with SSL connections. Clients with direct Linux or Unix shell
client software may use a secure encrypted protocol such as SSH to login to the server
Passwords. Strong password guidelines as published in Minimum Information Security Environment Policy (Create or
Change a Password) will be utilized on all University hosted Email
systems.
Patch Management. Email servers must be
updated with new security patches for both the operating system and mail
server applications as those patches are released by vendors. UCCS is
responsible for patching the centrally managed email systems.
Departments are responsible for patching additional systems that have been
approved under the standard above.
Virus Detection
and Removal.
Active anti-virus detection and quarantine clients will be installed on all
email servers. Where possible, these anti-virus applications will be
configured for automatic update of virus signatures. Additionally,
anti-virus gateways will be utilized to scan inbound and outbound messages.
Procedures:
Document
Initial and On-Going Compliance of Email Servers
Distribute
a Critical Time-Sensitive ("Send Now")
System-Wide Email Message
Distribute
a Critical Non-Time-Sensitive ("Send
Next Day") System-Wide Email Message
Subscribe
to (Join) a University
Mailing List
Send
a Message to a University Mailing List
Unsubscribe
to (Quit) a University
Mailing List
View
University Mailing List Messages Posted on the Web
Distribute
a Production Message