ÀÏ»¢»ú¹¥ÂÔ

ÀÏ»¢»ú¹¥ÂÔ Electronic Communications Standard

ÀÏ»¢»ú¹¥ÂÔ Information Security Office - Area: Information Security Policy

Document History

Approvals

Introduction

This ÀÏ»¢»ú¹¥ÂÔ Electronic Communications Standard outlines the necessary actions each person or organization with access to ÀÏ»¢»ú¹¥ÂÔ System electronic communications is responsible for taking to ensure the integrity of the systems and data for which ÀÏ»¢»ú¹¥ÂÔ is responsible.

Electronic Communication (such as electronic mail, instant messaging, and audio/video conferencing) is a primary means of communication both within the ÀÏ»¢»ú¹¥ÂÔ and externally. It allows quick and efficient conduct of University Business.

Compliance with this Standard ensures that University Data is appropriately managed and secured and ensures recipients of Electronic Communications can feel confident of the integrity and authenticity of the source, further safeguarding the reputation of the University.

Departments and units may impose more, but not less, stringent procedures as they deem appropriate or necessary to preserve the University's information assets.

The authority for implementation and enforcement of this Electronic Communications Standard is based on the ÀÏ»¢»ú¹¥ÂÔ Information Security Policy. The implementation of this Electronic Communications Standard will adhere to the ÀÏ»¢»ú¹¥ÂÔ Appropriate Use of Technology Resources Standard, including provisions on the privacy and confidentiality of Electronic Communications.

Definitions

Electronic Communications or Electronic Communications Platform

For the purposes of this Standard, Electronic Communications are any method of exchanging or transmitting University Data or conducting University Business over electronic mail (email), instant messaging (including chat or text message functionality), video conferencing, or audio conferencing.

University Data (Institutional Data)

All data that the University is responsible and accountable for protecting. This data includes, but is not limited to, data the University owns, collects, intellectual property owned by faculty or others, staff data, student data, faculty data, research data, personal information, alumni data, vendor and contractor data, and data that the university shares or provides to third parties for storage, processing, and analysis.

University-owned Systems or Devices

Information Technology equipment (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are the responsibility of the University to account for and provide appropriate safeguards. This includes equipment purchased (either directly or by reimbursement) or devices with documented ownership or responsibility transferred to the University from another institution or organization.

Personal or Personally-owned Devices

Information Technology equipment (including, without limitation, laptops, desktops, tablets, mobile phones, and IoT devices) that are wholly owned by an employee, student, or affiliate of the University. This includes devices for which a user receives a stipend or subsidy, such as a mobile communication allowance.

University Business

Any activity carried out under the auspices of the ÀÏ»¢»ú¹¥ÂÔ and in furtherance of the University’s mission.

University Network

The University Network is the infrastructure and equipment that connects information and communication technology to enable the exchange of data and information at ÀÏ»¢»ú¹¥ÂÔ and ÀÏ»¢»ú¹¥ÂÔ System. This includes connections limited to within the university and the broader Internet. The University Network includes both physical wired (wall jacks, wiring, routers, switches, etc.) and wireless network components, including ad-hoc wireless networks. The University Network also includes connections provided by a third-party telecommunications provider but managed by ÀÏ»¢»ú¹¥ÂÔ IT, or network paths over hardware or software (such as VPN, site-to-site tunnel, etc.) by which a user or device receives a ÀÏ»¢»ú¹¥ÂÔ-managed IP address, telephone number, or another ÀÏ»¢»ú¹¥ÂÔ-owned network descriptor.

STANDARD

Purpose

Per this Standard, only an approved ÀÏ»¢»ú¹¥ÂÔ Electronic Communications Platform may be used whenever University Business is conducted, or Institutional Data is exchanged via Electronic Communications. Specifically, all email, instant messaging, and videoconferencing for University Business must be conducted on a platform provided by and/or approved by ÀÏ»¢»ú¹¥ÂÔ Information Technology (ÀÏ»¢»ú¹¥ÂÔ IT) for that purpose.

Scope

The scope of this Standard applies to all information and communication technology that can be used to transmit or receive Electronic Communications (such as email, instant messaging, or videoconferencing). The audience of this Standard is everyone – faculty, staff, students, and affiliates – who performs University Business on behalf of the University.

Control Requirements

The following are foundational and fundamental control requirements that all sectors and business units must follow. University sectors or business units that have additional regulatory or contractual requirements may require specific control requirements or capabilities in addition to what is defined below.

• An Electronic Communications Platform approved by ÀÏ»¢»ú¹¥ÂÔ IT must be used whenever University Business is conducted. Everyone who performs University Business on behalf of the University (e.g., faculty, staff, students employed by the University, etc.) shall not use any unapproved communication platforms to send or receive Electronic Communications in the course of performing University Business.
• Any Electronic Communications Platform not approved by ÀÏ»¢»ú¹¥ÂÔ IT may be submitted to the ÀÏ»¢»ú¹¥ÂÔ Information Security Office (ISO) for consideration of approval or exception. The ÀÏ»¢»ú¹¥ÂÔ Information Security Office, in consultation with the ÀÏ»¢»ú¹¥ÂÔ Information Security Advisory Committee (ISAC), will ensure communications platforms comply with applicable policies, standards, laws, and regulations to minimize the risk of Institutional Data being inadvertently sent or disclosed to unauthorized individuals or entities.
• Electronic Communications records (e.g., emails, instant messages, videoconference recordings) that contain Confidential Data or Restricted Data (defined in the ÀÏ»¢»ú¹¥ÂÔ Data Classification and Stewardship Standard) may not be copied or downloaded to any devices or data storage platform that is not approved and secured according to Confidential or Restricted Framework Controls (as defined in the ÀÏ»¢»ú¹¥ÂÔ Data Security Standard). ÀÏ»¢»ú¹¥ÂÔ IT-approved Electronic Communication Platforms may be used on personally owned mobile devices such as mobile phones, tablets, watches, etc., for Restricted Data, if those devices are appropriately secured following University policies and standards for protection of endpoint devices.
• Members of the University Community are advised that the use of personal devices (including mobile phones/devices) for University Business may result in such devices being subject to subpoenas or other legal discovery actions as personal devices may not be protected by ÀÏ»¢»ú¹¥ÂÔ legal processes.
• Emails (including calendar entries and invitations), file attachments, and other Institutional Data shall not be automatically forwarded through any means to a non-approved third-party or affiliated Electronic Communications Platform or email domain.
• Emails (including calendar entries and invitations) and file attachments may be manually forwarded by a University user to a non-approved third-party or affiliated email domain or Electronic Communications Platform as long as such forwarding is in furtherance of University Business, and/or and will not result in the inappropriate disclosure or loss of Institutional Data.
• Requests for approval of Electronic Communications Platform not listed in this Standard may be submitted to the ÀÏ»¢»ú¹¥ÂÔ Information Security Office for review and approval.

Procedures

The following are foundational elements for ensuring compliance with the requirements outlined in this Standard. Additional requirements may be imposed for members of the University community with access to Confidential Data or Restricted Data.

Electronic Mail (Email)

All faculty, staff, students and other approved members of the University community doing University Business will be assigned an Official set of unique logon credentials and Email Address, which is the address that University Business is to be sent and received. The Official Email Address will be the address to which all official University correspondence is sent. Each Official Email Address will include a mailbox assigned to one of the ÀÏ»¢»ú¹¥ÂÔ-approved email systems:

• Microsoft Exchange 365 (@umontana.edu, @mso.umt.edu, and @umconnect.umt.edu addresses)

Individuals may be provided multiple mailboxes to accommodate multiple types of University Business. For example, students may be assigned an additional mailbox for the purposes of teaching or research. Individuals with multiple mailboxes should use their Official Email Address for all University Business except that for which another mailbox was specifically assigned.

Personal use of an Official Email Address is allowed, provided that such personal use:

• Does not materially interfere with performance of University Business;
• Does not interfere with the performance of a University Network; and
• Is in compliance with this and other University policies and standards.

NOTE: Personal communications through an Official Email Address may fall under the ÀÏ»¢»ú¹¥ÂÔ Appropriate Use of Technology Resources Standard and may be viewed by the University, for purposes outlined in that Standard.

Instant Messaging

Employees, students, and approved contractors/affiliates are permitted to conduct University Business over instant messaging platforms approved by ÀÏ»¢»ú¹¥ÂÔ IT. The current approved instant messaging platforms are:

• Microsoft Teams (when accessed through a user’s University-assigned Microsoft 365 account)
• Chat capabilities within approved ÀÏ»¢»ú¹¥ÂÔ software applications, such as Zoom.

Audio or Video Conferencing

Employees, students, and approved contractors/affiliates are permitted to conduct University Business over ÀÏ»¢»ú¹¥ÂÔ-provided or ÀÏ»¢»ú¹¥ÂÔ-approved video or audio conferencing. The current ÀÏ»¢»ú¹¥ÂÔ-provided video/audio conferencing platforms are:

• Zoom (when accessed through a ÀÏ»¢»ú¹¥ÂÔ license)
• Microsoft Teams (when access through a users’ University-assigned Microsoft 365 account)

Individuals should exercise caution when attending meetings hosted by platforms from outside ÀÏ»¢»ú¹¥ÂÔ, as ÀÏ»¢»ú¹¥ÂÔ cannot verify the security or integrity of the communication.

Other platforms for electronic communications, including, but not limited to, WebEx, GoTo Meeting, WhatsApp, or Google Chat are not approved business communication platforms and should be avoided when possible. When conducting University Business with external parties using these and other, unapproved platforms, members of the University community should exercise caution as the security and privacy of Intuitional Data is unknown.

Additional platforms may be approved as an exception by the ÀÏ»¢»ú¹¥ÂÔ Information Security Office for electronic communications at the individual college/school/unit level. If you have any questions about whether a specific platform can be used for University Business, please contact the ÀÏ»¢»ú¹¥ÂÔ Information Security Office.

Exceptions

Requests for any exceptions to this Standard should be submitted to the ÀÏ»¢»ú¹¥ÂÔ Information Security Office and will be reviewed in consultation with the ÀÏ»¢»ú¹¥ÂÔ Information Security Advisory Committee.

References

• MUS BOR 1300.1
• ÀÏ»¢»ú¹¥ÂÔ Information Security Policy
• ÀÏ»¢»ú¹¥ÂÔ Acceptable Use of Technology Resources Standard
• ÀÏ»¢»ú¹¥ÂÔ Data Classification and Stewardship Standard