1 Information Security Standards and Campus Communication Standard IS-ECC Effective Date TBD # Version 2.0 Contact Mike Cook Phone Standard: and Campus Communication Page 1
2 Executive Summary The and Campus Communication standard defines the requirements for how SJSU s and other forms of electronic communication should be used for employees and students. This standard of due care will help prevent the unauthorized loss of or destruction of sensitive campus information that is transmitted through and other modes of communication. Workers must restrict their electronic communications to business matters. Page 2
3 Revision History Date Action 5/27/2014 Draft sent to Mike 12/1/2014 Reviewed. Content suggestions. Added comments. Hien Huynh 3/7/15 Review. Content changes. Prepared for publishing draft. Mike Cook Page 3
4 Table of Contents Executive Summary... 2 Introduction and Purpose... 6 Scope... 6 Standard... 6 Compliance to Standards Retention Standard... 6 Electronic Mail Communication for Employees... 6 Employees must use university address... 6 People without university address... 6 Refusal to service non SJSU addresses... 6 Faculty and Staff sending to students... 6 Electronic Mail Communication for Students... 7 Official University Communications will use SJSU address forwarding... 7 Responsibility for lost and deleted s... 7 Retention of important University documents... 7 Electronic Mail Communications Security... 7 Electronic Marketing Material Source... 7 Inappropriate Electronic Mail Messages... 7 Electronic Mail Privacy... 7 Electronic Mail Encryption... 7 Electronic Mail Message Monitoring Approval... 7 Electronic Mail Modification... 8 Centralized Control over Electronic Mail Systems... 8 Bulk Electronic Mail... 8 All Campus, All Students, All Staff s... 8 Sending Unsolicited Electronic Mail... 8 Distributing SJSU Information via Blogs... 8 Electronic Mail Attachments... 8 Unexpected Electronic Mail Attachments... 8 All Mail Servers Must Run Approved Spam-Filtering Software... 8 Responding to Spam Messages... 8 No Specific Information in Automated Electronic Replies... 9 Instant Messaging... 9 Transmission of sensitive information using IM... 9 Page 4
5 Telepresence Video Conferencing... 9 Approved Telepresence video conferencing application... 9 Web Conferencing... 9 Approved Web Conferencing application... 9 More Information... 9 Page 5
6 Introduction and Purpose The and Campus Communication standard defines the requirements for how SJSU and other forms of electronic communication should be used for employees and students. This standard of due care will help prevent the unauthorized loss of or destruction of sensitive campus information that is transmitted through and other modes of communication. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) users with a sjsu.edu or mlml.calstate.edu address. The information covered in this standard includes, but is not limited to, information that is either transmitted or shared via electronic mail, instant messaging, video conferencing, or collaboration technologies. Standard Compliance to Standards Retention Standard Specific requirements for the storage and deletion of is specified in the Retention Standard. For more information, refer to the SJSU Retention Standard . Electronic Mail Communication for Employees Employees must use university address Any university employee must use their sjsu address while conducting university business. University employees include faculty, staff, and administration. In order to maintain FERPA compliance, faculty shall not communicate with students via non university addresses nor shall they forward university communications to a personal address. People without university address Any auxiliary or other person needing a sjsu address should be entered into the proper system as a person of interest, by contacting Human Resources for more information. Refusal to service non SJSU addresses IT services may refuse to service customers using non sjsu addresses. Faculty and Staff sending to students All faculty and staff must use the student s sjsu address when sending to students, especially sensitive information such as financial transactions or student records including assignments, grades, and other information pertaining to the student s record. Page 6
7 Electronic Mail Communication for Students Official University Communications will use SJSU address All official university communications will be delivered to employees and students at their sjsu address. Official communications from administration and the president will go to SJSU addresses only. It is the recipients responsibility to check their regularly and respond to official communications as necessary. forwarding If the student wishes to use another address for campus communication, then they need to sign in and forward it to their other address. Responsibility for lost and deleted s Users are responsible for any lost and deleted s, including their retention settings. Users are responsible for deleting old messages that are no longer needed. It is important to understand that when the user s mailbox is full, it might automatically delete previous messages in order to accept new ones. IT services does not have the ability to restore messages that have been deleted by the 3 rd party provider. Retention of important University documents should not be the sole mechanism for retaining important university documents. Students are encouraged to extract any important attachments from their onto their hard drive on a regular basis for safe keeping. Electronic Mail Communications Security Information involved in electronic messaging should be appropriately protected. Electronic Marketing Material Source All marketing materials sent through electronic mail must include an accurate return address and must provide clear and explicit instructions permitting recipients to quickly be removed from the distribution list. Inappropriate Electronic Mail Messages Workers must not create and send, or even forward, any externally-provided electronic mail messages that may be considered to be harassing in nature, or that may contribute to the perception of a hostile work environment. Electronic Mail Privacy Electronic mail is considered by SJSU to be private information, and must therefore be handled as a private and direct communication between a sender and a recipient. Electronic Mail Encryption All sensitive information including, but not limited to, credit card numbers, passwords, and research and development information must be encrypted when transmitted through electronic mail. Currently this option is not available in the 3 rd party system. All sensitive data must be encrypted prior to uploading as an attachment in and must not be contained in the message body. Electronic Mail Message Monitoring Approval administrators must only access another users account in strict compliance with ICSUAM8105. Page 7
8 Electronic Mail Modification Workers must not modify, forge, or remove any information appearing anywhere in an electronic mail message including the body of the message or the header. Centralized Control over Electronic Mail Systems Centralized control over both inbound and outbound electronic mail will be provided by the Information Technology Department. All SJSU electronic mail must flow through systems established, operated, and maintained by that same department. All on-campus systems which send externally must do through an SMPT relay server controlled by IT Services. Bulk Electronic Mail Workers must not use SJSU computer systems for the transmission of any type of unsolicited bulk electronic mail advertisements or commercial messages that are likely to trigger complaints from the recipients. All Campus, All Students, All Staff s s to complete campus constituent groups shall be sent only with Vice Presidential approval. These messages are not to be for the purposes of marketing or event announcement. IT Services shall provide a regulated system for the purpose of official mass communication, which must be capable of messaging each constituent group and synchronized with the Common Management System. Cabinet shall control access and utilization of this tool. Sending Unsolicited Electronic Mail Users must not send uninvited or unsolicited electronic mail (also known as spam) to a large number of recipients. This includes commercial advertisements, charitable solicitations, questionnaires/surveys, chain letters, and political statements. Distributing SJSU Information via Blogs Workers must not publish or otherwise communicate any SJSU internal information on the Internet, or in any other public forum, unless this public disclosure has first been approved by University Advancement. Such publishing includes, but is not limited to, weblogs (blogs), Internet discussion groups, social networks, and personal web pages. Further guidance about what information may be publicly released can be found in the Information Classification Policy. Electronic Mail Attachments Workers must not open electronic mail attachments unless they were expected from a known and trusted sender, and these attachments have been scanned by an approved anti-virus software package. Unexpected Electronic Mail Attachments Users who receive an unexpected attachment to an electronic mail message that does not have a credible business-related explanation must not open the attachment until they obtain a believable explanation from the sender. All Mail Servers Must Run Approved Spam-Filtering Software All SJSU mail servers must run the latest version of spam-filtering software approved by IT Services. Responding to Spam Messages To keep spam to a minimum, users must refrain from responding in any way to spam and must not purchase anything advertised in spam. Page 8
9 No Specific Information in Automated Electronic Replies Automated electronic mail replies should not include specific information, such as names and contact information for campus personnel that could be used to gain access to sensitive data. Instant Messaging Transmission of sensitive information using IM IM should not be used for communication of sensitive level 1 or level 2 confidential information, including confidential information contained in files. For more information on data classification, refer to the SJSU Security Standard for Information Classification and Handling . Telepresence Video Conferencing Approved Telepresence video conferencing application Campus users and students must use the official approved Telepresence vendor and applications for campus communication. Web Conferencing Approved Web Conferencing application Campus users and students must use the official approved web conferencing solution application for campus communication. More Information  San Jose State University: Retention  San Jose State University: Security Standard for Information Classification and Handling Page 9
Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational
I-23.10 Management Information Services The College owns and operates a local area network (LAN) that connects the College's computing hardware and services. Computing hardware refers to any device that
Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract
Information Systems Security Policy Northeast Alabama Community College Center for Information Assurance Northeast Alabama Community College 138 AL Hwy 35, Rainsville, AL 35986 (256) 228-6001 1 5/22/2014
APPROPRIATE USE POLICY Heartland Community College Information Technology Version 2.0 10/01/2013 Table of Contents 1.0 INTRODUCTION... 4 2.0 DEFINITIONS... 4 2.1 Authentication... 4 2.2 Authorization...
Acceptable Use Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is
Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative
A Guide to Information Technology Security in Trinity College Dublin Produced by The IT Security Officer & Training and Publications 2003 Web Address: www.tcd.ie/itsecurity Email: ITSecurity@tcd.ie 1 2
Information Technology Security Policies Randolph College 2500 Rivermont Ave. Lynchburg, VA 24503 434-947- 8700 Revised 01/10 Page 1 Introduction Computer information systems and networks are an integral
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
HIPAA Administrative, Physical and Technical Safeguards Your information security role in protecting HIPAA information Effective Date: 7/1/2014 Prior Effective Date: 10/1/2013 HIPAA Administrative, Physical
Delgado Community College Information Technology Security Policy Approved: *November 5, 2010 ) Delgado Community College IT Security Policy Page 2 *November 5, 2010 Table of Contents Title Page 1.0 Introduction
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
R ACCEPTABLE USE OF COMPUTER NETWORKS/ COMPUTERS AND RESOURCES The school district provides computer equipment, computer services, and Internet access to its pupils and staff for educational purposes only.
R 2361/Page 1 of 12 R 2361 ACCEPTABLE USE OF COMPUTER NETWORKS/COMPUTERS AND RESOURCES The school district provides computer equipment, computer services, and Internet access to its pupils and staff for
The Archbishop s Seminary Information Security Policy 1 Contents PURPOSE... 4 SCOPE... 4 POLICY STATEMENTS... 5 INFORMATION SECURITY POLICY... 5 THE SCHOOL S RIGHT TO ACCESS ITS PROPERTY... 5 THE SCHOOL
OPEN INTERNET REFERENCE SHEET Table of Contents I. In General... 4 II. Payment Terms... 4 A. In General... 4 B. Payment Method... 6 C. Payment Default... 7 II. Prohibited Uses of the Services; Acceptable
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
St. Johns River State College 3.11 Technology 3.11.1 Account Management Computer accounts are the means used to grant access to SJR STATE Information Resources. These accounts provide a means of providing