Guideline for E-mail Services



Similar documents
THIS SERVICE LEVEL AGREEMENT (SLA) DEFINES GUARANTEED SERVICE LEVELS PROVIDED TO YOU BY INFRONT WEBWORKS.

User guide Business Internet features

Web Hosting Getting Started Guide

HOSTED EXCHANGE SERVICES & HOSTED SHAREPOINT SERVICES TERMS AND CONDITIONS

Stewart Secure User Guide. March 13, 2015

SERVICE LEVEL AGREEMENT

DATA CENTER SERVICE CATALOG

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY.

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

10135A: Configuring, Managing, and Troubleshooting Microsoft Exchange Server 2010

70-662: Deploying Microsoft Exchange Server 2010

ModusMail Software Instructions.

SERVICE LEVEL AGREEMENT - Shared Exchange Hosting

Policy For Staff and Students

SERVICE LEVEL AGREEMENT: Shared Exchange Hosting

SERVICE LEVEL AGREEMENT

SERVICE LEVEL AGREEMENT

REDCENTRIC MANAGED EXCHANGE SERVICE SERVICE DEFINITION

SERVICE LEVEL AGREEMENT

Steps for: POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) setup on MAC Platforms

Lesson Plans Configuring Exchange Server 2007

Secure Gateway (EMSG)

A Guide to Information Technology Security in Trinity College Dublin

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Visendo Suite a reliable solution for SMBs

Table of Contents Chapter 1 INTRODUCTION TO MAILENABLE SOFTWARE... 3 MailEnable Webmail Introduction MailEnable Requirements and Getting Started

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Anti-Spam Configuration in Outlook 2003 INDEX. Webmail settings Page 2. Client settings Page 6. Creation date Version 1.2

1. How to Register Forgot Password Login to MailTrack Webmail Accessing MailTrack message Centre... 6

CENTURIC.COM HOSTED MICROSOFT EXCHANGE ADDENDUM TO TERMS OF SERVICE

Using the University s Spam and Virus Filtering Service

InsightCloud. Hosted Desktop Service. What is InsightCloud? What is SaaS? What are the benefits of SaaS?

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

ONE Mail Direct. Privacy Impact Assessment Summary

Standard: Information Security Incident Management

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

User Guide Online Backup

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY COMPANY.

SERVICE LEVEL AGREEMENT

Guidelines for Account Management and Effective Usage

anomaly, thus reported to our central servers.

Guardian Digital Secure Mail Suite Quick Start Guide

USER S MANUAL Cloud Firewall Cloud & Web Security

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

Policy Based Encryption Gateway. Administration Guide

. Service Option Description. Deltacom Product Management - updated 9/17/2007 1

What makes Panda Cloud Protection different? Is it secure? How messages are classified... 5

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

SHARED WEB AND MAIL HOSTING SERVICE LEVEL AGREEMENT (SLA) 2010

THIS SERVICE LEVEL AGREEMENT DEFINES THE SERVICE LEVELS PROVIDED TO YOU BY THE COMPANY ( Exchange My Mail ).

Welcome to HomeTown Bank s Secure ! User Guide

XIT CLOUD SOLUTIONS LIMITED

How To Write A Health Care Security Rule For A University

Honeywell Secure External User Guide August 2013

NEVER guess an address. Your mail will nearly always go to the wrong person.

KUMC Spam Firewall: Barracuda Instructions

UCLA Communications Technology Services. Bruin OnLine Services. Service Level Agreement

Frequently Asked Questions The next section includes FAQs to help you to access and use your student account.

Microsoft Exchange Online from BT. Service Description (Shared Platform)

Comprehensive Anti-Spam Service

Security. on your terms SOFTSCAN

ExchangeDefender. Understanding the tool that can save and secure your business

White Paper: Librestream Security Overview

Information Technology Security Policies

Electronic Messaging Policy. 1. Document Status. Security Classification. Level 4 - PUBLIC. Version 1.0. Approval. Review By June 2012

COMPUTER USAGE -

Barracuda Spam Firewall

Protection for your account

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Policy Based Encryption Gateway. Administration Guide

Microsoft Exchange 2013 Ultimate Bootcamp Your pathway to becoming a GREAT Exchange Administrator

Microsoft Exchange Server 2007, Upgrade from Exchange 2000/2003 ( /5049/5050) Course KC Days OVERVIEW COURSE OBJECTIVES AUDIENCE

XGENPLUS SECURITY FEATURES...

Designtech Cloud-SaaS Hosting and Delivery Policy, Version 1.0, Designtech Cloud-SaaS Hosting and Delivery Policy

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

If you have any questions about any of our policies, please contact the Customer Services Team.

Created By: 2009 Windows Server Security Best Practices Committee. Revised By: 2014 Windows Server Security Best Practices Committee

Information security controls. Briefing for clients on Experian information security controls

Getting Started Guide Unix Platform

Cloud Services. Cloud Control Panel. Admin Guide

Transcription:

Guideline for E-mail Services Under the Policy on Information Technology, the Vice-President and Provost is authorized to establish guidelines for information technology services at the University of Toronto. The University strives to provide highly-available, functional, and secure e-mail service to students, faculty and staff. E-mail service is provided institutionally to faculty, staff and students by UTORmail, a service operated by Computing and Networking Services. Other units may elect to offer e-mail services to their constituents for reasons such as scale or specialisation. The existence of providers within the University is acceptable as long as the services provided are compliant with institutional standards. The Policy on Official Correspondence with Students requires that students maintain a University-provided e-mail account for official communications. For reasons of security and deliverability, such official University email services are best provided by internal organisations; that is, organisations whose network and equipment are within the University s domain and under the University s full operational control. Reporting on compliance with institutional standards will be required by 31 March 2008. A report confirming compliance is to be submitted to the Vice-President and Provost, or Designate. Subsequent confirmation of compliance is to occur in annual reports. Proposals to enter into arrangements with external e-mail service providers must be submitted for approval to the Vice-President and Provost, or Designate. (See Policy on Contracts.) Institutional E-mail Service Requirements An e-mail service provided to faculty, staff or students must be required to incorporate the following service level information and system specifications: Service Level Information o Access Controls: Documented rules regarding who may use the service, how access is provided and removed. o Appropriate Use Definition and Acceptance: Users must be required to accept the University s Appropriate Use of Information and Communication Guidelines when applying for access. These guidelines and associated policies, such as the Policy on Official Correspondence with Students and the Code of Student Conduct must be referenced on a service acceptance page, and acknowledged prior to gaining access to the service. 1 o Authentication Service: New e-mail services must use the University s authentication system, UTORauth, for ID and password. Existing services may 1 If a unit has a concurrent appropriate use policy it should be replaced with the institutional guideline. Units should highlight appropriate use provisos that extend beyond the institutional guideline. Where provisos are in conflict, the institutional guideline shall have precedence. Final Draft 20 February 2008 p. 1

continue to deploy local authentication systems, but should consider adopting or interoperating with UTORauth. o Blocklisting: Service consumers are to be notified that e-mail services may occasionally be blocked by external providers. At times, the internal provider may not be aware that a block is in place, and the blocking may also be transient. Once notified of a problem, the internal service provider will attempt to contact the external service provider and seek service restoration. As this condition may take some time to resolve, service consumers are to be notified of the expected duration whenever practicable. o Delivery Service Goal: Service providers are to advise on their delivery expectation, e.g., within x seconds under normal circumstances, as well as to note that e-mail is not always delivered within that timeframe, especially when leaving the university s network. o Disaster Recovery: Service providers are to develop and test recovery methods to mitigate the risks of service outages due to system failures. Service providers are to communicate their recovery plans and return-to-service expectations. o E-mail Naming Conventions: E-mail addresses must end with utoronto.ca or toronto.edu to qualify as a University issued electronic mail account required by the Policy on Official Correspondence with Students. o Forwarding Caution: The proliferation of hosted e-mail services means that faculty, staff and students may be forwarding their e-mail accounts to external providers. Internal e-mail providers may provide forwarding options but the option must be accompanied by cautionary text advising that: o forwarded messages may be blocked or experience other delivery problems related to forwarding to an external service provider; o the holder of a University issued electronic email account remains responsible for ensuring that all University communications sent to that account are received and read. o Junk Mail Filtering: Services that offer junk mail filtering are to notify users that the function is present, and advise that periodic checking of junk mail folders is advised. Where there are specific file extensions being filtered, these are to be listed. o Legislative Compliance: Periodically, legal situations (e.g., subpoenas, criminal investigations ) may require records to be extracted to support an investigation. Services are to inform users of the existence of processes for providing records to the police, court-authorised recipients, or internal staff. o Procedure for Notification of Alleged E-mail Abuses: Services are to provide contact information for concerns regarding cases of alleged abuse or misuse of the e- mail service. Reporting of alleged abusers must comply with privacy rules. Information regarding the length of time that transaction logs are stored (needed for tracing e-mail activity) to be included in service description. o Service Compliance: All e-mail service providers must be required to verify their continued compliance with institutional standards within an annual accountability report. Final Draft 20 February 2008 p. 2

Specifications o Anti-Spam: E-mail services must provide anti-spam filtering either through the institutionally-provided system or via another commercial or community-supported alternative. It is the responsibility of the service provider to keep the spam-filters upto-date. o Anti-Virus: E-mail services must provide anti-virus scanning for incoming mail. Clear documentation is to be provided as to how attachments are handled when a virus is discovered. o Data Backup: A regular backup process with a stated retention period is required. Limitations to the backup should be noted, for instance, if backups are performed every other day. o E-mail Attachment Limit: The maximum attachment size must be stated. Users are to be advised that messages with large (e.g., greater than 10 MB) attachments may not be accepted by recipient e-mail services. o E-mail Relays: E-mail servers should not relay messages from unknown and unauthenticated sources. Open relay are usually discouraged but when special circumstances warrant, relaying should occur with known and trusted hosts only. o Mailbox Quota: Each e-mail service is to define a maximum mailbox size. Options for mailbox limit increase may be made available by the service provider. o Outsourced E-mail: At present, e-mail services must be hosted on the University campuses and cannot be outsourced. o Security: E-mail services should include the capability for data encryption and digital signatures to allow for the protection of confidential correspondence. o Service Level Definition: Service providers are to provide expectations of availability. Include: o Targeted Uptime: (e.g. This service will target 99.9% availability, or downtime of 8.76 hours/year.) o Scheduled Maintenance: (e.g. There will be no scheduled maintenance during regular business hours, Monday through Friday, 8:45 A.M 5:00 P.M.) o Notice of scheduled maintenance will be provided (e.g. at least 24 hours) prior to outage. o Emergency Maintenance: e.g. In situations that threaten the integrity of the service, the Provider reserves the right to immediately shut the system down to apply repairs or configuration changes. Related Policies and Guidelines o Policy on Information Technology http://www.utoronto.ca/govcncl/pap/policies/inftech.pdf. o Policy on Approval and Execution of Contracts and Documents http://www.governingcouncil.utoronto.ca/assets/policies/policy/contracts.pdf o Policy on Official Correspondence with Students http://www.utoronto.ca/govcncl/pap/policies/studentemail.html o Appropriate Use of Information and Communication Technology Guidelines http://www.provost.utoronto.ca/policy/use.htm Final Draft 20 February 2008 p. 3

o o o Network Security Policy http://www.utoronto.ca/security/documentation/policies/policy_5.htm Code of Student Conduct http://www.utoronto.ca/govcncl/pap/policies/studentc.html Policy on Access to Student Academic Records http://www.utoronto.ca/govcncl/pap/policies/sturec.html Final Draft 20 February 2008 p. 4

Service Information Template (Sample) A service template is to be completed by each of the university s e-mail service providers. The service description is to be available as a link from the service s login page. The text displayed below is generic. Service providers are to tailor the content as appropriate to their service details. Service Level Declaration: This e-mail service targets 99.5% uptime under normal circumstances. 99.5% equates to 216 minutes of scheduled outage per month. Element Access Anti-Spam Anti-Virus Appropriate Use Authentication Service Business Continuity Delivery Service Goal E-mail Attachment Limit E-mail Naming Service Definition (examples) This service is available to active faculty and graduate students of the Department of Relativity. [Name of Application] or none [Name of Application] or none This service follows the University s Appropriate Use of Information and Communication Technology Guidelines. See: http://www.provost.utoronto.ca/policy/use.htm UTORid or other Sample Text: This service deploys a redundant disk array (RAID 10) to protect against data loss due to damaged disks. Backups are performed daily and stored for two weeks. In the event of a local system or network outage, every effort will be made to get the system running again as quickly as possible. Status reports will be made provided via available services such as a departmental or institutional Web site or phone tree. Messages sent between users of this e-mail service, and other e-mail services provided by the University community will normally be delivered well within 30 minutes, unless there are network problems locally or across the university. Delivery times may xx MB For reference, UTORmail has a 50 MB limit. UTOR_Webmail has a 10 MB limit. Please avoid distributing multiple copies of an attachment via e-mail. Large files may be posted to your Portal Content Area, a departmental shared folder, or Sharepoint. Files may also be placed in an ftp site. Contact the System Administrator for assistance. Accounts on this service will follow the structure of Final Draft 20 February 2008 p. 5

Element Conventions Encryption and Digital Signatures Forwarding Junk Mail Filtering Message Recovery Procedure for Notification of Alleged E-mail Abuses Quota (Mailbox) Service Definition (examples) firstname.lastname@dept.utoronto.ca Departmental addresses may be established without the dot e.g., suggestionbox@dept.utoronto.ca This service provides encryption and digital signature capabilities. These functions should be deployed when sending personal or confidential information. Please note that this service does not offer forwarding in order to increase the likelihood of delivery. External service providers do periodically block dept.utoronto.ca messages. This service uses the [Name of Application] to filter spam and viruses. Suspicious messages are automatically redirected to your Junk folder. Please review the folder if you have not received an expected message. The Junk mail folder purges tagged messages on a 30-day basis. Messages ending in.exe,.zip, and.virus are automatically filtered. Do not open these attachments if found in the junk folder unless you know the sender and about the attached file. This service will store e-mail messages for N days after entering your Inbox. If you accidentally delete a message, notify your system administrator immediately to request message retrieval. Beyond N days, the message will be irretrievable from internal storage. Note: Recovery applies to e-mail protocols, such as IMAP, that leave messages on the server. 2 This service respects the quality of your e-mail experience. If you are concerned about the security of your e-mail for example, you think someone may be accessing your mailbox, or you are receiving an unusual number of offensive messages contact your e-mail system administrator (Pat Smith 416.978.0000) in confidence. ### MB on the server. Note that you may store additional e-mail on your local or network drive. For configuration assistance contact the System Administrator. Additional Comments and Recommendations for Follow-up 2 COMMENT: Remember, this is a template in which you define the service provided. It may be that you will not/cannot provide message recovery. In that case state This service will not provide recovery of deleted messages. Or, This service will make a best effort to recover a message and a labour and materials charge will be applied. Final Draft 20 February 2008 p. 6

All mail sent between Exchange users is inherently encrypted. Mail sent from Exchange to another non-exchange environment is clear text. If end-to-end message security is required with users outside the Exchange service, the use of certificates and/or digital signatures is advised. Long-term archiving: o backups are made specifically for the purpose of system recovery; o backups will not be kept for a period of longer than 1 month; o c) users are solely responsible for organizing and archiving their own data, and for meeting any FIPPA requirements that may be applicable to them. Would it be wise for the University to make some kind of wider statement about the limited responsibilities that the managers of email systems have to be responsible for the archiving and organizing of their user's data? Implementing UTORauth authentication should also require that encryption be enabled in order to safeguard the users' credentials. Normally e-mail servers do not encrypt any traffic, so users passwords are sent over the network in plain text and are therefore subject to theft Final Draft 20 February 2008 p. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information