Re: Policy language around email and other forms of "official electronic communication" platforms

[Catherine Ullman <cende () BUFFALO EDU>]

Jim,

 

I'd dovetail with Brian's comments especially about avoiding PII/regulated
data in all of these platforms.  The reality is that email, generally
speaking, is by its very nature not secure -even though there are ways to
make it more secure-and these messaging platforms also have risks.  Asking
people to remember not to send PII to external entities is, IMHO, not
practical.  For example, you'll have people who send a message to 3 people
internally and one externally, forgetting that they weren't supposed to do
it.  Even putting all the bells and whistles of O365 in place, I wouldn't
take that chance.  But that's just my $0.02.

 

Best,

Cathy

 

 

Dr. Catherine J Ullman

Senior Information Security Forensic Analyst

Information Security Office

University at Buffalo

cende () buffalo edu <mailto:cende () buffalo edu> 

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Martinez, Brian
Sent: Friday, January 22, 2021 4:50 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Policy language around email and other forms of
"official electronic communication" platforms

 

Jim,

 

My two cents: while email may be the "official electronic communication
platform" I would tend to stay away from PII being used within it, whether
internal or not. Worst case, assuming you have access to such tools (I think
it's built-in at all level of 365(?)), utilize the #encrypt feature in the
subject line to encrypt sensitive data. Best case, you find some other more
secure medium to act as an intermediary for sending/receiving such data.

 

I'd consider Teams within the same realm as email. The whole idea behind
Slack, originally, was to be an "email replacement." I feel Microsoft really
made better progress towards that than Slack did given how heavily Teams
ties into the [collaborative] 365 environment. And, of course, during this
pandemic, Teams usage has become pervasive. While certainly a separate
product from Outlook/Exchange, it is likely assessed similarly (by which I
mean the answers on a HECVAT from the Microsoft Teams team would likely be
nearly the same answers provided by the Microsoft Mail team). I would think
Zoom, Blackboard, and any other products in which you can message should be
encompassed in the policy as well, but I would absolutely not send anything
PII through them and it sounds like your policy would already address that.
Shorter answer here: Yes, definitely include other forms of electronic
communication in said policy.

 

Regards,

 

Brian R. Martinez

Information Security

Michigan State University

Office: +1-517-884-8791

brm () msu edu <mailto:brm () msu edu> 

 

 

 

From: The EDUCAUSE Security Community Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> > On
Behalf Of Bole, Jim A
Sent: Friday, January 22, 2021 11:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU <mailto:SECURITY () LISTSERV EDUCAUSE EDU> 
Subject: [SECURITY] Policy language around email and other forms of
"official electronic communication" platforms

 

We're working on an email policy that is mostly focused on making sure
everyone knows email is the main official method of communication. There are
sections about no expectation of privacy, every has to read their emails,
etc.

 

There is a section on using email for sensitive data. We do have a simple
data classification standard, but we don't have clearly defined rules for
when email can be used for top-levels of sensitive data (HIPAA, SSNs, etc).

 

I think there should be a distinction between emails sent internally vs
externally. We're an O365 shop and my understanding is that email (and other
data such as OneDrive, Teams) within our tenant meets basic encryption
requirements for both in-transit and at-rest conditions (outside of the
issue of Microsoft having the keys/certs). External email is a qualified
"maybe" with some services negotiation secure transport while others don't.
So we can't guarantee the security/encryption.

 

I'm curious if others agree with this.

 

I'm also looking at added sections for bulk mail, relaying and forwarding.

 

And, I wonder if it makes sense to expand the policy to include other forms
of `'official electronic communication." Is Teams the same as email? What
about chat in Blackboard or Zoom? While these may not be used to communicate
official university announcements, they are used by student and employees to
conduct sanctioned university operations. So for that there should be
similar rules about no privacy, sensitive information, inappropriate use,
etc. I'm torn on this aspect, so I'd be interested in feedback.

 

Any other suggestions or examples of good policies appreciated.

 

 

Jim Bole

Chief Information Security Officer 

Information Technology Services

University at Albany

 

 

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Furldefens
e.com%2Fv3%2F__https%3A%2Fwww.educause.edu%2Fcommunity__%3B!!HXCxUKc!iOmUgag
Rsdy4F9Gu_QcjBRylUqOUtLA7jrtZyNQw-0PYS_yOmWiX4fRvd5k%24&data=04%7C01%7Ccende
%40buffalo.edu%7Cfd301b10a5784ba9aec308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b
50a20250%7C0%7C0%7C637469490140414280%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=wA5Fmnsr9B
9xKtQbdAFLSCBoRL2rVTh0ScqrLhDm8sg%3D&reserved=0>  

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community
list. If you want to reply only to the person who sent the message, copy and
paste their email address and forward the email reply. Additional
participation and subscription information can be found at
https://www.educause.edu/community
<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educa
use.edu%2Fcommunity&data=04%7C01%7Ccende%40buffalo.edu%7Cfd301b10a5784ba9aec
308d8bf1f9f5c%7C96464a8af8ed40b199e25f6b50a20250%7C0%7C0%7C63746949014042424
6%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haW
wiLCJXVCI6Mn0%3D%7C3000&sdata=lpaQ5Lb9LiNuFSyIu34Qiiz8Zq%2FOTTDJqKGkZ%2FYK6T
M%3D&reserved=0>  


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: